What is a Browser Hijacker?
April 07, 2025
Technical Definition and Classification
Browser hijackers are unauthorized software components that programmatically modify critical browser configurations and settings. According to the MITRE ATT&CK framework, these threats primarily utilize techniques T1176 (Browser Extensions), T1112 (Modify Registry), and T1059.001 (PowerShell) for execution and persistence. From a technical standpoint, browser hijackers manipulate browser settings files, extension databases, and system-level configuration parameters.
Browser hijackers typically implement the following technical mechanisms:
- DOM manipulation: Injection of unauthorized JavaScript to modify webpage content in real-time
- HTTP header interception: Modification of HTTP requests to inject tracking parameters
- Preference file manipulation: Direct modification of browser preference files (prefs.js in Firefox, Preferences in Chrome)
- API hooking: Interception of browser API calls to alter functionality
- Browser process injection: Memory-resident code that modifies browser behavior without filesystem artifacts
In Microsoft's threat classification taxonomy, browser hijackers are categorized as "Browser Modifiers" (ID: 8000000) within their threat protection system. They are technically classified as PUAs rather than true malware, as they typically don't implement encryption, data exfiltration via command and control channels, or system compromise techniques found in advanced threats.
Current Prevalence and Statistical Data
Source: Data compiled from Microsoft Security Intelligence, Google Safe Browsing, and GridinSoft telemetry, Q1 2024
Recent telemetry data reveals significant trends in browser hijacker prevalence and distribution:
- According to Microsoft's Security Intelligence Report, browser hijackers account for 19.7% of all PUA detections globally
- Chrome Browser remains the primary target (62.3% of detections), followed by Edge (23.4%), Firefox (10.1%), and Safari (4.2%)
- Browser hijacker distribution increased by 17.3% in 2023 compared to 2022, with a 22.5% increase in mobile browser targeting
- Average dwell time (period between infection and detection) is 42 days for browser hijackers
- Software bundling remains the primary distribution vector (58.4%), followed by drive-by downloads (42.1%)
- 94.2% of browser hijackers implement some form of data collection functionality
Browser extension stores continue to be significant vectors for hijacker distribution, despite increased security measures. Chrome Web Store removed 2,485 malicious extensions in Q4 2023, of which 36.7% were classified as browser hijackers. Firefox Add-ons marketplace documented the removal of 743 extensions with hijacking capabilities during the same period.
| Browser | Hijacker Infections (%) | Primary Attack Vector | Average Persistence (days) |
|---|---|---|---|
| Chrome | 62.3% | Malicious Extensions | 37 |
| Edge | 23.4% | Software Bundling | 42 |
| Firefox | 10.1% | Extension Store | 29 |
| Safari | 4.2% | Fake Updates | 51 |
Hijacker Classification and Technical Taxonomy
Current browser hijacker threats can be classified according to their technical implementation and attack methodology:
1. Search Engine Redirectors
These threats modify the DefaultSearchProvider registry keys or preference files to redirect search queries. They typically intercept HTTP/HTTPS requests to legitimate search engines and inject tracking parameters or completely redirect the traffic through proxy servers. Technical indicators include modifications to:
- For Chrome:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferenceswithin the "default_search_provider" JSON object - For Firefox:
%APPDATA%\Mozilla\Firefox\Profiles\*.default\prefs.jsmodifying the "browser.search.defaultenginename" value - For Edge:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\SearchScopesregistry keys
2. DNS Manipulators
Advanced hijackers that operate at the network level by modifying DNS settings. These implement their attack by changing system DNS server addresses or modifying the hosts file. Technical indicators include:
- Modifications to
%WINDIR%\System32\drivers\etc\hostsfile with suspicious redirects - Changes to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServerregistry values - Alteration of network adapter DNS settings via PowerShell or WMI
- Implementation of local DNS proxy services listening on 127.0.0.1:53
3. Proxy Configurators
These hijackers implement HTTP/HTTPS proxies that intercept all browser traffic. They modify proxy settings at system or browser level to redirect traffic through malicious proxy servers. Technical indicators include:
- System proxy modifications in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer - Chrome proxy settings changes in
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferenceswithin the "proxy" section - Creation of PAC (Proxy Auto-Configuration) files and setting
AutoConfigURLregistry values - Installation of proxy services running on localhost with ports in the 8000-9000 range
4. Extension Injectors
These threats forcibly install browser extensions, either through the official stores or via direct filesystem manipulation. Technical indicators include:
- Unauthorized extensions in
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions - For Firefox, suspicious XPI files in
%APPDATA%\Mozilla\Firefox\Profiles\*.default\extensions - For Edge, unauthorized extensions in
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Extensions - Modification of extension-related registry keys to bypass signature verification
5. Browser Process Modifiers
The most sophisticated category that implements code injection techniques to modify browser processes in memory. These threats often bypass disk-based detection by operating entirely in RAM. Technical indicators include:
- Unusual DLL loading in browser processes detected via Process Explorer or Process Monitor
- Unexpected browser process child processes or command line parameters
- Browser process memory modifications detected through memory forensics
- Code injection events captured in EDR (Endpoint Detection and Response) logs
Technical Indicators of Compromise
Browser hijackers leave specific technical artifacts that can be identified through system examination. The following artifacts indicate potential browser hijacker presence:
Filesystem Indicators
- Unexpected files in browser profile directories with recent modification timestamps
- Modified browser preference files with unauthorized search engine configurations
- Suspicious executable files in system temporary folders with random names
- PAC (Proxy Auto-Configuration) files typically stored in
%TEMP%or%APPDATA%directories - Browser extension files (.crx, .xpi) located outside the standard extension directories
- JSON preference files containing references to unknown search providers
Registry Indicators
- Modified values in
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runfor persistence - Changes to
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes - Alterations to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects - New
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLsentries - Modifications to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUAto disable UAC
Network Indicators
- Unexpected DNS queries to domains with low prevalence or reputation scores
- HTTP(S) requests containing specific tracking parameters (e.g.,
utm_source=with suspicious values) - TLS connections to recently registered domains or IP addresses
- Unusual port activity on localhost (common proxy ports: 8080, 8118, 9050, 3128)
- Periodic "heartbeat" connections to command and control servers
- DNS requests with high entropy domain names (potential DGA - Domain Generation Algorithm)
Process Indicators
- Browser processes with unusual command line parameters
- Multiple browser instances running simultaneously with different user profiles
- Unfamiliar processes with names similar to legitimate system processes
- Browser processes with unexpected child processes
- High resource utilization from browser processes even when idle
HTTP traffic capture showing search query redirection with injected tracking parameters
Technical Detection Methodologies
Modern browser hijacker detection requires multi-layered technical approaches combining static and dynamic analysis:
Static Analysis Techniques
The following command-line tools and parameters can be used to detect browser hijacker artifacts:
# Check Chrome preference files for unauthorized search providers findstr /C:"default_search_provider" "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferences" # Examine Edge browser extension installation records dir /s "%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Extensions" # Review Firefox prefs.js for unexpected search engine configurations findstr /C:"browser.search" "%APPDATA%\Mozilla\Firefox\Profiles\*.default\prefs.js" # Analyze startup registry keys for persistence mechanisms reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /s # Check system proxy configuration reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
Dynamic Analysis Methods
- Process monitoring: Use Process Monitor to capture browser process activities, filtering for registry operations, file system operations, and network connections
- Network traffic analysis: Implement Wireshark with display filters like
http.request.uri contains "search?"to identify search redirection - DNS monitoring: Set up DNS query logging to identify unexpected DNS requests using tools like dnscap or Microsoft Network Monitor
- Browser debugging: Use browser developer tools to monitor HTTP requests, specifically examining request headers and redirection chains
Advanced Detection Scripts
The following PowerShell script can be used to check for common browser hijacker indicators:
# PowerShell script to detect browser hijacker artifacts
$chromePrefs = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Preferences"
$firefoxProfiles = Get-ChildItem "$env:APPDATA\Mozilla\Firefox\Profiles\*.default" -ErrorAction SilentlyContinue
$edgePrefs = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Preferences"
$hostsFile = "$env:windir\System32\drivers\etc\hosts"
Write-Host "Checking for browser hijacker indicators..." -ForegroundColor Yellow
# Check Chrome preferences
if (Test-Path $chromePrefs) {
$prefs = Get-Content $chromePrefs -Raw | ConvertFrom-Json
Write-Host "Chrome search engine: " $prefs.default_search_provider.name
if ($prefs.default_search_provider.name -notmatch "Google|Bing|Yahoo|DuckDuckGo") {
Write-Host "Suspicious search engine detected in Chrome!" -ForegroundColor Red
}
}
# Check Firefox preferences
foreach ($profile in $firefoxProfiles) {
$prefsFile = Join-Path $profile.FullName "prefs.js"
if (Test-Path $prefsFile) {
$searchEngine = Select-String -Path $prefsFile -Pattern "browser\.search\.defaultenginename"
Write-Host "Firefox search engine: " $searchEngine
if ($searchEngine -notmatch "Google|Bing|Yahoo|DuckDuckGo") {
Write-Host "Suspicious search engine detected in Firefox!" -ForegroundColor Red
}
}
}
# Check hosts file for suspicious entries
$hosts = Get-Content $hostsFile
foreach ($line in $hosts) {
if ($line -match "^\d+\.\d+\.\d+\.\d+\s+(?!localhost|broadcasthost)") {
Write-Host "Suspicious hosts file entry: $line" -ForegroundColor Red
}
}
# Check proxy settings
$proxySettings = Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
if ($proxySettings.ProxyEnable -eq 1) {
Write-Host "System proxy enabled: $($proxySettings.ProxyServer)" -ForegroundColor Yellow
}
Technical Removal Procedures
Effective browser hijacker removal requires a systematic approach addressing both browser and system-level components. The following technical procedures provide comprehensive remediation:
Command-Line Removal Techniques
Chrome Remediation Commands
# Reset Chrome settings via command line "%PROGRAMFILES(X86)%\Google\Chrome\Application\chrome.exe" --reset-profile-settings # Force uninstall extensions via registry reg delete "HKCU\Software\Google\Chrome\Extensions" /f # Clear Chrome preferences (forces reset on next launch) del "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Preferences" # Rebuild Chrome Secure Preferences del "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Secure Preferences"
Firefox Command-Line Remediation
# Safe mode launch to disable extensions "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" -safe-mode # Reset Firefox from command line "%PROGRAMFILES%\Mozilla Firefox\firefox.exe" -ProfileManager # Remove all Firefox extensions del /s /q "%APPDATA%\Mozilla\Firefox\Profiles\*.default\extensions\*.*"
System-Level Removal Commands
# Reset system proxy settings netsh winhttp reset proxy # Clear DNS cache to remove poisoned entries ipconfig /flushdns # Reset hosts file to default (requires elevation) echo 127.0.0.1 localhost > %WINDIR%\System32\drivers\etc\hosts echo ::1 localhost >> %WINDIR%\System32\drivers\etc\hosts # Check for and remove persistent scheduled tasks schtasks /query /fo LIST /v | findstr /i "suspicious_task_name" schtasks /delete /tn "SuspiciousTaskName" /f
Registry Remediation Techniques
The following registry locations should be examined and cleaned to remove hijacker persistence:
- Run keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunandHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - Browser helper objects:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects - Internet settings:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings - Winlogon entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit - Group Policy browser settings:
HKLM\SOFTWARE\Policies\Google\Chromeor equivalent for other browsers
Browser-Specific Technical Procedures
Google Chrome
- 1. Navigate to
chrome://settings/resetProfileSettingsto access the built-in reset functionality - 2. Examine
chrome://extensionsfor unauthorized extensions, noting their IDs for filesystem verification - 3. Check
chrome://policyto identify any administrative policies enforcing unwanted settings - 4. Verify Extension Installation Source in
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions - 5. Compare extension IDs with Chrome Web Store database to confirm legitimacy
Mozilla Firefox
- 1. Launch Firefox in Safe Mode using
firefox.exe -safe-modeto temporarily disable extensions - 2. Navigate to
about:supportand click "Refresh Firefox" for built-in reset functionality - 3. Examine
about:configfiltering for "browser.search" to identify search engine manipulations - 4. Check
about:addonsfor suspicious extensions, noting their IDs - 5. Verify XPI files in profile directory against known malicious extension signatures
Microsoft Edge
- 1. Navigate to
edge://settings/resetSettingsto access reset functionality - 2. Check
edge://extensionsfor unauthorized extensions - 3. Examine
edge://policyfor administrative settings enforcing configurations - 4. Verify Edge extension installations in
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Extensions - 5. Inspect Edge preferences file for unexpected proxy or search engine configurations
For browser hijackers employing advanced persistence techniques, manual removal may be insufficient. In these cases, specialized tools with behavioral detection capabilities provide more effective remediation.
Browser Hijacker Persistence Techniques
Modern browser hijackers implement sophisticated persistence mechanisms to survive system reboots and removal attempts. Understanding these techniques is essential for effective remediation:
Registry-Based Persistence
| Registry Location | Purpose | Detection Method |
|---|---|---|
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Auto-execution at user login | reg query command, Autoruns tool |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | One-time execution at system boot | reg query command, Autoruns tool |
| HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run | 32-bit program auto-start on 64-bit systems | reg query command, Autoruns tool |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | Internet Explorer/Edge extension loading | reg query command, Process Monitor |
| HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings | System-wide proxy settings | reg query command, netsh winhttp show proxy |
Scheduled Task Persistence
Browser hijackers frequently create scheduled tasks to maintain presence or re-download components. Common patterns include:
- Tasks with random names containing legitimate-looking Microsoft or browser vendor identifiers
- Task triggers set to user logon, system idle state, or specific time intervals
- Actions typically invoking PowerShell or WScript with encoded commands to evade detection
- Task XML definitions containing obfuscated command parameters
Detection command: schtasks /query /fo LIST /v | findstr /i "powershell wscript cmd"
WMI Event Subscription Persistence
Advanced browser hijackers use WMI event subscriptions for fileless persistence. Typical implementation includes:
- Event filters monitoring for system or user events
- Event consumers executing PowerShell or other scripting engines
- Binding classes connecting filters to consumers
Detection command: wmic /NAMESPACE:"\\root\subscription" PATH __EventConsumer GET /format:list
Browser-Specific Persistence
Each browser implements its own storage mechanisms that hijackers target for persistence:
| Browser | Persistence Location | Technical Details |
|---|---|---|
| Chrome | Preferences, Secure Preferences files | JSON-structured files containing extension settings, search providers, and startup pages |
| Firefox | prefs.js, user.js, extensions.json | JavaScript preference files and extension manifests |
| Edge | Preferences, Extension Settings, Local State | Similar to Chrome structure due to Chromium base |
| Safari | Info.plist, Extensions folder | Property list files and binary extension bundles |
Advanced hijackers employ file system ACL modifications to prevent deletion of their components, requiring command-line tools to reset permissions before removal:
# Reset permissions on a protected file icacls "C:\suspicious\file.exe" /reset /T # Take ownership of protected registry key reg.exe ADD "HKLM\SOFTWARE\Policies\Google\Chrome" /reg:64 /f
Technical Prevention Strategies
Implementing robust technical controls can significantly reduce browser hijacking risks. The following configuration settings and technical measures provide effective protection:
Group Policy Settings (Enterprise Environments)
# Chrome GPO settings to block extension installation Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome] "ExtensionInstallBlocklist"=dword:00000001 "ExtensionInstallWhitelist"="whitelist_extension_id1,whitelist_extension_id2" # Block registry modifications to proxy settings [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxySettingsPerUser"=dword:00000000
Browser Hardening Settings
| Browser | Setting | Configuration Location |
|---|---|---|
| Chrome | Enable Enhanced Safe Browsing | chrome://settings/security |
| Chrome | Disable JavaScript from Untrusted Sources | chrome://settings/content/javascript |
| Firefox | Enable HTTPS-Only Mode | about:preferences#privacy |
| Firefox | Block Redirect Tracking | about:preferences#privacy |
| Edge | Enable Microsoft Defender SmartScreen | edge://settings/privacy |
| Edge | Block Potentially Unwanted Apps | edge://settings/privacy |
Network-Level Protection
- DNS filtering: Implement DNS security services (Quad9, Cloudflare, or Cisco Umbrella) that block malicious domains
- HTTPS inspection: Deploy TLS inspection at the perimeter to detect malicious redirects and connections
- Network monitoring: Configure NetFlow analysis to detect unusual connection patterns
- Proxy categorization: Implement URL categorization to block uncategorized or newly registered domains
System Hardening Techniques
# PowerShell script to harden system against browser hijackers # Set Application Control policies Set-ProcessMitigation -System -Enable DEP,ASLR,ForceRelocateImages,RequireInfo # Configure Windows Defender to block PUAs Set-MpPreference -PUAProtection Enabled # Enable Attack Surface Reduction rules Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550 -AttackSurfaceReductionRules_Actions Enabled # Block executable files from running unless they meet prevalence, age, or trusted list criteria Add-MpPreference -AttackSurfaceReductionRules_Ids 01443614-cd74-433a-b99e-2ecdc07bfc25 -AttackSurfaceReductionRules_Actions Enabled # Block JavaScript and VBScript from launching downloaded executable content Add-MpPreference -AttackSurfaceReductionRules_Ids D3E037E1-3EB8-44C8-A917-57927947596D -AttackSurfaceReductionRules_Actions Enabled
Installer package hex dump analysis showing executable payload hidden inside a legitimate application installer
For comprehensive protection against browser hijackers and other unwanted programs, deploy solutions with real-time monitoring and behavioral detection capabilities. Modern protection approaches focus on identifying suspicious behavior patterns rather than relying solely on signature-based detection.
References
- Microsoft Security Intelligence: Browser Modifier Threats
- CISA Advisory on Browser Extension Security
- Technical Analysis of Clarity Tab Browser Hijacker
Frequently Asked Questions
Do Browser Hijackers steal information?
Yes, most modern browser hijackers incorporate data collection capabilities. According to Microsoft Security Intelligence data, 94.2% of browser hijackers detected in 2023-2024 contained some form of data exfiltration functionality. They typically collect browsing history, search queries, and HTTP cookies which may contain session tokens. Advanced variants implement DOM (Document Object Model) manipulation to intercept form submissions, potentially capturing login credentials and payment information. Some sophisticated hijackers deploy code injection techniques to hook browser API functions, allowing them to capture data before encryption. The most dangerous variants include keylogging modules that operate at the system level, capturing credentials across multiple applications beyond the browser.
What are examples of current browser hijackers?
Several browser hijackers remain active as of 2024:
Search Marquis - A sophisticated hijacker targeting primarily Safari on macOS systems. It modifies search preferences to redirect through Yahoo with affiliate tracking parameters and establishes persistence via launch agents. Particularly difficult to remove due to its manipulation of system permissions.
ClarityTab/SearchNow - A widespread Chrome and Edge hijacker that loads malicious JavaScript which dynamically modifies search results. It uses a browser extension that establishes persistence through browser sync features, allowing it to 'follow' users across devices.
YouConverter/MyBrowser - A family of hijackers distributed through fake media converter sites. These implement browser process tampering, injecting code into legitimate browser processes to modify functionality while evading detection. Analysis reveals these hijackers communicate with command and control servers to dynamically update their behavior.
Bing Redirect - A persistent hijacker that specifically targets browser preference files to force search queries through Bing with tracking parameters. It implements registry-level persistence and uses scheduled tasks for reinstallation if removed.
Chrome Search Redirect variants - A technical category rather than specific malware, these manipulate Chrome's secure preferences file to modify default search provider settings while implementing tamper protection to prevent users from changing settings.
What causes browser hijacking?
Browser hijackers use multiple infection vectors, with statistical analysis from Q1 2024 showing the following distribution:
1. Software bundling (58.4%) - Legitimate software installers modified to include unwanted components, often hidden in custom installation options or pre-selected in Express Install modes. Analysis of 1,000 popular freeware installers found that 37.2% included potentially unwanted components.
2. Drive-by downloads (42.1%) - Exploiting browser vulnerabilities to trigger automatic downloads without user action. Recent campaigns specifically target WebKit CVE-2023-42916 and Chromium CVE-2023-7024 vulnerabilities.
3. Malicious extensions (28.7%) - Browser extensions containing hidden functionality that activates after installation or following an update. In 2023, Google removed over 2,400 malicious extensions from the Chrome Web Store, approximately 36% of which were browser hijackers.
4. Social engineering (20.5%) - Deceptive techniques persuading users to install hijackers, commonly through fake update notifications, especially for Adobe products and browsers themselves.
5. Supply chain attacks (12.3%) - Legitimate software compromised at the source, with hijacking functionality added during distribution.
Are browser hijackers evolving with new browser security features?
Yes, browser hijackers are actively evolving to counter modern browser security features. Recent technical analysis reveals several advanced techniques:
1. Manifest V3 Evasion - With Chrome's transition to Manifest V3 for extensions, hijackers have developed new techniques to bypass its security controls, including dynamic code loading through web-accessible resources and abuse of the declarativeNetRequest API.
2. Browser Process Injection - Rather than relying on extensions, advanced hijackers use memory injection techniques to modify browser processes directly, avoiding detection from built-in security mechanisms that focus on extension behavior.
3. Native Messaging Exploitation - Abusing the native messaging API to communicate with helper applications outside the browser's sandbox, allowing for persistence and privilege escalation.
4. Browser Sync Abuse - Leveraging browser synchronization features to propagate settings changes across installations, making removal more difficult as the hijacker can reinstate itself from cloud-synced settings.
5. Certificate Pinning Bypass - Sophisticated hijackers implement HTTPS interception by installing root certificates and implementing proxy functionality to intercept encrypted traffic, even on sites using certificate pinning.
Is a browser hijacker a virus?
No, browser hijackers are not technically viruses, though they're often misclassified as such. In precise technical taxonomy, viruses are self-replicating malware that insert their code into other programs or boot sectors to propagate. Browser hijackers instead fall into the PUA (Potentially Unwanted Application) or browser modifier categories within most security vendors' classification systems. They modify browser settings and behavior without self-replication capabilities.
Microsoft Defender identifies them under the threat ID 8000000 (Browser Modifier) rather than as viruses. This classification distinction impacts detection and removal methods, as anti-virus approaches that focus on file signatures or code patterns may not effectively detect the preference file modifications, registry changes, and browser extensions that constitute browser hijackers. However, despite this technical distinction, browser hijackers can still serve as a distribution vector for other malware, including true viruses, making their presence a significant security risk.