A new malware campaign uses an unusual technique to trap users in their browser’s kiosk mode, coercing them into entering their Google credentials. Once entered, these credentials are stolen by a piece of information-stealing malware.
This attack operates by locking the user’s browser on Google’s login page and preventing them from closing the window. The malware disables essential keyboard shortcuts like “ESC” and “F11,” making it seem like the only way to regain control is by entering Google credentials.
Users, out of frustration, may save their login information to unlock the screen, but this is exactly what the attackers want. Once saved, the StealC malware extracts and transmits these credentials to the attacker.
Researchers recently revealed this unique tactic, which has been used by cybercriminals since at least August 2024. The attack is primarily driven by Amadey, a malware loader that has been active since 2018.
When Amadey is launched on a compromised system, it deploys an AutoIt script that initiates the browser in kiosk mode, directing users to Google’s password-change page.
Kiosk mode is typically used in public terminals to restrict user interaction by removing standard browser navigation tools like toolbars and address bars. However, in this attack, kiosk mode is misused to limit user actions and force them onto the Google login page. Victims believe they need to enter their credentials to escape this situation, unknowingly handing over their Google passwords to the attacker.
Once the user enters and saves their credentials in the browser, the StealC malware steals them and sends them to the attackers. StealC, a lightweight information stealer, has been active since 2023 and can easily retrieve passwords stored in the browser.
Those who find themselves stuck in this browser kiosk mode should avoid entering any sensitive information. Instead, they can try other hotkey combinations like ‘Alt + F4,’ ‘Ctrl + Shift + Esc,’ or ‘Ctrl + Alt + Delete’ to exit the browser.
In some cases, opening the command prompt and killing the browser process with ‘taskkill /IM chrome.exe /F’ may also work. If none of these options succeed, a hard reset by holding the power button is a last resort, followed by a reboot into Safe Mode to scan for and remove the malware.
To avoid falling victim to this kind of malware, users should ensure their systems have up-to-date antivirus protection and are regularly scanned for malicious software. It’s also important to recognize the warning signs of unusual browser behavior—like spontaneous kiosk mode activation—and never enter sensitive credentials on unfamiliar prompts.