The first widely recognized browser hijacker was CoolWebSearch, which compromised 8.2% of computers worldwide.
You open a tab and search, but someone else decides what you see. Browser hijackers can track your every move, reroute your searches, and flood your screen with unwanted content. Discover what's really controlling your search results.
Strange browser settings, slow page loads, and frequent redirects to unfamiliar sites? You may have a browser hijacker on your hands.
You've spotted the signs. Now, the fix starts with running a reputable antivirus (but doesn't end there).
LastPass complements tools like TotalAV to give you a layered defense. Uncover the tools you need to fight back against browser hijackers.
Does the name CoolWebSearch ring a bell? Back in 2003, this notorious browser hijacker - malware that controls browsers without consent – compromised 8.2% of computers worldwide.
If you were unlucky enough to have been a victim, CoolWebSearch flooded your browser with ads, redirected you to phishing sites, and changed your browser settings. And if you were extra unlucky, one of its hundreds of variants also installed porn site bookmarks in your browser. In its heyday, CoolWebSearch earned its creators $300 million a year, leading Information Week to dub it the “Ebola” of adware.
Fast forward to today, browser hijacking hasn’t stayed that simple. In July 2025, Koi Security analyst Idan Dardikman reported that 2.3 million Chrome and Edge users had their browsers hijacked – even though most of them never clicked anything. Fortunately, the right controls can protect you from this rising threat.
Below, we explore how they work to keep your browser secure.
What can a browser hijacker do?
First, let’s define a browser hijacker: This is malware that takes control of your browser without your permission, and it does this in several ways:
- Bundled software downloads. A browser hijacker may piggyback on “free” software downloads. But during installation, it quietly changes your default home page and search engine. For example, if you’ve ever installed Babylon translation software or forgotten to uncheck the “add-on” box for a free tool like Unlocker, chances are high that you’ve experienced a browser hijacking.
Once downloaded, Babylon installed its own toolbar in browsers and rerouted every search query to search.babylon.com, where users were served with ad-infected sites. This browser hijacker also had rootkit capabilities and was a pain to remove, earning it the nickname of the “software that just won’t die” from PCMAG. Your best bet? Avoid freeware, if at all possible.
- Phishing links and ads. A browser hijacker can also hide behind innocent-looking links in ads, emails, or social media. Clicking on them can trigger automatic downloads or redirects to attacker-controlled pages that steal your login credentials. The single easiest thing you can do to protect yourself? Avoid clicking on suspicious links.
This includes shortened URLs with unfamiliar origins, URLs that mimic actual domains (but with missing or added characters, like amazzon.com), and long URLs for unfamiliar domains that read like gibberish (many random special characters and symbols).
- Drive by downloads. Simply visiting a compromised site can sometimes initiate a silent download of malware like Sakula Rat (a remote access trojan). This RAT has been active since 2012 and exploits vulnerabilities in older browsers like Internet Explorer. It’s mainly weaponized by APT groups for remote control and data exfiltration.
- Malicious browser extensions. A browser hijacker is often disguised as a helpful extension that boosts your productivity, blocks pesky ads, and gets you better discounts.
In 2020, Nano Adblocker and its companion Nano Defender – once trusted Chromium-based ad-blocking extensions - were found quietly siphoning browser history and sending it to remote servers. And in early 2025, extensions like Cuponomia: Coupons and Cashback (downloaded by 700,000+ users) were similarly found tracking browser activity, which led to their removal from the Chrome Store.
- Fake updates or alerts. It may even lure you with fake update alerts that promise to “protect your system” from a virus while quietly installing actual malware on your device.
So, in summary, browser hijackers can track your every move, redirect your searches to phishing sites, change your homepage & search engine, and flood your screen with ads & fake alerts.
Browser hijackers also put your online security at risk, stealing things you’d rather keep private: your passwords, bank logins, late-night search history.
And if you’re a business owner, the stakes are even higher. One compromised browser extension on a workstation or endpoint device can open the floodgates to a data breach, exposing client information, proprietary data, and access credentials.
This can put your business at risk for ransomware, identity theft, and even corporate espionage. When that happens, you’re looking at:
- expensive compliance fines
- reputational damage
- operational disruptions that could cost you clients and contracts
This brings us to an important question.
How do I know if I have a browser hijacker?
Yes, you guessed it. Browser hijackers can go unnoticed for weeks or months. And here's how they do it:
- They slip in silently through software installations or phishing links. One click, and a hidden malware loader activates. The hijacker may be tucked inside a multi-stage loader, which also delivers ransomware, spyware, crypto miners, or keyloggers/credential stealers.
- An example is SmokeLoader, which can disguise its code to make it unreadable to signature-based antivirus tools.
SmokeLoader can also leverage LOL (live off the land) techniques, like using legitimate Windows processes to execute commands. This makes its actions look like normal system behavior.
So, if browser hijackers are this stealthy, how can you know if you have a browser hijacker on your hands?
The answer is to watch for these three (3) key signs:
Unauthorized changes
- Homepage redirects to phishing sites
- Default search engine replaced with a questionable alternative
- New toolbars or extensions you didn’t install
Performance issues
- Sluggish browsing performance or slow page loads *
- Unexpected crashes or freezes
*Spyware and keyloggers consume significant CPU and memory bandwidth for keystroke monitoring and data exfiltration, which slows down page rendering.
Behavioral red flags
- Aggressive surge in unwanted content
- Extensions that promise benefits but push intrusive ads
- Frequent redirects to ad-heavy or phishing sites
Now that you know what to look for, let’s talk about how to remove a browser hijacker.
How do I detect a browser hijacker?
In 2025, detecting a browser hijacker is far from easy.
A Stanford University report estimated that users have downloaded at least 280 million malicious browser extensions (MBE) in recent years.
At DEFCON 32, SquareX researchers shattered the illusion that Google’s Manifest V3 framework was the ultimate safeguard against MBEs. Their research revealed jaw-dropping vulnerabilities that leave users wide open to attack:
- MBEs running under MV3 can siphon live video from your Google Meet or Zoom calls without any special permissions, silently spying on your most private conversations.
- MBEs can also impersonate you and add rogue users to corporate GitHub repositories, opening backdoors to your code and trade secrets.
- Ultimately, these MBEs can bypass Manifest MV3 protections to steal your login credentials, browsing & download history, and bookmarks.
Google intended MV3 to plug security holes in previous versions. However, SquareX’s findings prove that MV3 continues to fall short. And that’s not all: Security tools like SASE (secure access service edge), EDR (endpoint and detection response), and SWG (secure web gateways) aren’t equipped to monitor extensions dynamically.
Fortunately, tools like FortiGuard Antivirus can help you detect and block multi-stage malware with browser hijacking capabilities like SmokeLoader.
In addition, LastPass - an award-winning Secure Access Provider - can complement such tools to give you a layered defense against extension-based attacks. Here’s how:
- LastPass only autofills your credentials on true, verified sites. This means you won’t fall for phishing tricks aimed at stealing your login credentials.
- Secure, military-grade AES-256 encryption – the kind used by federal agencies, the military, and the NSA - keeps your most sensitive data locked down.
- Vault URL encryption safeguards all login credentials tied to URLs, making them completely invisible and useless to attackers. This means you keep your personal & business passwords, licenses, and trade secrets safe from espionage or insider leaks.
- If the possibility of a data breach keeps you up at night, our Dark Web Monitoring service tracks your email addresses 24/7, searching nonstop for your data being sold or traded on Dark Web forums. You get instant alerts if your information is compromised, allowing you to update your credentials and protect your money, data, and sanity. Get Dark Web Monitoring free with a 30-day LastPass Premium trial (no credit card required).
- And finally, if you’re doing business today, LastPass SaaS Monitoring & SaaS Protect stand ready to serve as your frontline defense against costly breaches that can result in downtime, shattered customer trust, and lost revenues.
With security teams recognizing browsers as the primary attack surface for SaaS apps, you need an easy, no-fuss way to monitor unusual logins, rogue extensions, risky apps, and unexpected permission changes. SaaS Monitoring + Protect lets you do just that, and you can unlock this today with a free trial of Business Max (no credit card required).
“People are experimenting with AI tools like OpenAI and Canva. We don’t want to block innovation, but we do want to guide it safely. LastPass is smart, secure, and it just works.” Learn how Axxor is using LastPass SaaS Monitoring + Protect to build a culture of security and support a growing workforce worldwide.
Sources
https://www.2-spyware.com/coolwebsearch-the-most-infamous-browser-hijacker
https://www.mcafee.com/learn/browser-hijacking/
https://techreviewadvisor.com/what-is-a-browser-hijacker/
https://arxiv.org/html/2503.04292v2
