Fireball is a malware suite encompassing Xadupi, Sasquor, SubTab, Gokswa, Suweezy and Chuckenit trojans. Fireball infections occur when malicious programs are downloaded through their browsers, often via pirated apps, videos, and music. The suite typically comes with legitimate programs, used as host processes to load malicious code, evading behavior-based detection. The trojan suite is used to persist on infected machines, monetize via advertising, or hijack browser search and home page settings. The most prevalent trojans in the suite are SubTap and Sasquor. Fireball's main payload hijacks the victim's browser home page and default search settings, either by modifying the browser's settings or circumventing the settings,  the malware's search page can then load without the victim's consent and the threat actors earn revenue from searches conducted on the site. Fireball can also be used to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines.

According to a report by Check Point in June 2017, this is a Chinese threat operation run by Rafotech, a digital marketing agency based in Beijing. Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines which simply redirect the queries to either or


  • June 2017: The #1 most prevalent malware in May 2017, infecting one in five organizations. (CheckPoint)
  • June 2017: Understanding the true size of "Fireball." (Microsoft TechNet)
  • July 2017: Chinese police arrest 14 individuals who allegedly developed of the Fireball trojan. (BleepingComputer)

Technical Analysis

  • Check Point researchers provide a technical analysis of the Fireball Trojan here.