HomeWinBuzzer NewsMicrosoft Plays Down Severity of Fireball Malware Threat

Microsoft Plays Down Severity of Fireball Malware Threat

While Check Point says Fireball is on 20% of corporate networks, Microsoft says its observations show the attack has not changed in three years and calls reports “overblown”.


suggests that recent reports regarding the Fireball cybercriminal campaign are disproportionate. Windows Defender researcher Hamish O'Dea says the worry about the threat are “overblown”. The company has been tracking the attack for two years and while it has become more sophisticated, it has not changed much.

Fireball is used by a Chinese marketing agency called Rafotech. Check Point recently reported that the scheme poses a “great threat to the global cyber ecosystem with 250 million infected machines and a grip in one of every five corporate networks.”

The security firm says Fireball has infiltrated 20 percent of global corporate network. The regions of peak infection are the US, China, India, Indonesia, and Brazil.

Malicious content from the threat is installed through programs downloaded from an internet browser. Most commonly, it is installed through pirated media. Microsoft says it has been following the attack since 2015, but software bundling is still the main way to install the malicious.

These bundles mean the Fireball methods have not changed much since Microsoft started tracking it. It masks the malicious content within clean and functional programs. The installs carry processes that upload malware onto a machine.

Microsoft says over its tracking period, it has seen actors try to monetize through advertising, before turning to system and browser hijacking. The most frequent malware to install Fireball is BrowserModifier:Win32/SupTab and BrowserModifier:Win32/Sasquor.


While Fireball poses a threat, Microsoft says the level has been overblown. The company says Check Point did not focus on collection of endpoint data, but instead considers infection vectors and number of visitors to the malware search.

Because of this, the final results may not be complete or valid. This is due to the fact not every search comes from an infected PC.

Microsoft says its own method has included looking at 300 million Windows Defender AV clients. The company says there has been no change in the strategy of the attack or its danger:

“Fireball's infection chain includes malware and software bundlers silently installing other applications,” O'Dea says. “You need security solutions that detect and remove all components of this type of infection.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News