Browser hijacking malware has been hiding in plain sight on the Microsoft Store since mid-2024. A newly uncovered campaign abuses the Trillion (formerly Trellian) AdTech network, mimicking the flow of a Traffic Direction System (TDS) to trick visitors of typo-squatted domains into downloading Microsoft Store apps that contain browser hijacking malware. While the abuse of AdTech networks to deliver malware isn’t new, this campaign highlights incredibly similar tactics to VexTrio and previous TDS networks; further blurring the line between AdTech and malicious TDS systems. Trinity Cyber threat researchers have dubbed the redirection part of this attack “PseudoTDS” and the browser hijacking application, a previously undiscovered threat which we named “PhantomJack.”
The infection chain begins with something as simple as a typing mistake. Specifically, when users mistype the names of popular websites, they land on attacker-controlled domains instead of reaching the intended pages. From there, the attackers move victims through a series of redirects. Eventually, users land on malicious apps that attackers placed openly on the Microsoft Store, a platform that more than 250 million people trust every month.
Here's some typo-squatted domains from this campaign:
At the end of this chain is PhantomJack, a browser hijacker and previously undiscovered threat, that quietly takes control of victims' web browsing. Once installed, it replaces default search engines, installs unauthorized extensions, and gives attackers visibility into user activity. A simple mistyped website, filtering victims through PseudoTDS can quickly escalate into full browser compromise.
Here’s a brief overview of the full campaign:
Once installed, the hidden payload PhantomJack silently changes browser settings, replaces default search engines, and installs unauthorized extensions. This allows attackers to control what people see when they search online, expose them to unwanted content, and potentially harvest sensitive data.
To understand how PseudoTDS really works, we need to look under the hood. Each stage of the attack is intentional, designed to appear harmless while quietly pushing the victim one step closer to PhantomJack. The process is layered with misdirection, making it difficult to recognize the threat until it’s too late. Here’s how the chain of events unfolds:
The attack begins when users land on domains that closely resemble legitimate websites but contain small spelling variations. Attackers set up these typo-squatted domains to look convincing enough to capture mistyped traffic and act as the entry point into the PseudoTDS operation.
Attackers redirect users who visit typo-squatted domains into the PseudoTDS traffic distribution system by using the Trillion AdTech network for the first few stages. Both PseudoTDS and Trillion act like multiple sorting gates. Scripts collect details from each visitor’s browser and device, including display size, window dimensions, and graphics card information, then send the data back to attacker-controlled servers. The attackers use this information to decide if the visitor is a real person or an automated bot/sandbox, which is a common tactic to evade detection and analysis. Only genuine-looking traffic is allowed to move deeper into the chain.
After some basic browser filtering occurs, actors abuse Trillion AdTech network capabilities to redirect victims several times, as described below:
Analysis of several PhantomJack landing pages reveals that they have the same HTML title as the original application (ie. SafeDrop, StealthBrowse or others noted below).
The attackers prompt users who pass the filtering system to complete a fake “security check.” Once validated, victims download a .NET executable. This file does not carry the payload itself but simply opens a link to an app hosted on the Microsoft Store.
In this campaign, attackers deliver Microsoft Store apps that pose as privacy-focused tools, including browsers and file-sharing utilities. Microsoft Store apps are typically developed as Progressive Web Apps (PWAs) and PhantomJack is specifically developed using the “NW.js” framework, which runs the browser hijacker on top of existing open browsers. Applications hosted within the Microsoft Store are MSIX files, which are a common Windows Application packaging format. Two common PDB strings link various PhantomJack samples together:
When launched, the app silently loads PhantomJack in the background. Through reverse engineering both the MSIX and NW.js compiled EXEs, our researchers found that PhantomJack can:
These functions do more than just interfere with the user’s browsing experience. They create direct opportunities for profit. By forcing search engine changes and injecting unauthorized extensions, attackers can redirect traffic to ad networks or malicious sites that generate revenue per click. Because the extensions are interchangeable, an app can be quickly changed to steal information, track activity, or hijack searches. At the same time, stolen browsing history and bookmarks provide sensitive information that attackers can resell or leverage in follow-on attacks.
With these combined abilities, PhantomJack turns everyday browsing into a steady stream of exploitable data and income for threat actors.
During our research, we discovered around 45 domains that had or are currently hosting PhantomJack landing pages. These pages have a very similar structure, look, and feel and simply swap out icons and names of applications. Every one of them also contains a link to the corresponding PhantomJack application in the Microsoft Store. To uncover these domains and websites, we used the Google Tracking IDs (known as GTAGS) which are embedded on all PhantomJack landing pages, presumably to track visitors from the campaign:
OSINT tools were used to track and report which domains had these GTAGs embedded, filter the list of these domains, and then crawl them to see which PhantomJack applications were still being hosted in the Microsoft Store (noted in the IOCs section).
As an example, we’ll pick two PhantomJack landing pages and show how similar they are:
Analysis of PhantomJack landing pages reveals that they similarly constructed, with boilerplate terms of service and fake contact information. Clicking “Download Now” simply redirects the user to the Microsoft Store with a “ms-windows-store” formatted URL. This streamlines the process for Windows users installing PhantomJack.
The PseudoTDS campaign shows how attackers can turn something as harmless as a typing mistake into full browser compromise, stealing sensitive information and sending it to attackers. By abusing trusted platforms like the Microsoft Store, the operation hides malicious apps in plain sight and delivers PhantomJack, a hijacker that lets attackers monitor, manipulate, and profit from user activity.
The PseudoTDS campaign shows attackers can exploit even trusted platforms like the Microsoft Store to deliver malware. To counter this, Trinity Cyber prevents threats like this from ever reaching a user’s machine. What sets Trinity Cyber apart is its Full Content Inspection (FCI) technology — a preemptive approach to cybersecurity that inspects and edits live traffic in real time, resulting in removing malicious redirects, deceptive downloads, and hidden payloads such as PhantomJack before they happen. The FCI platform leverages the work of Trinity Cyber’s elite team of analysts, providing customers with the most accurate, effective threat prevention available.
As part of this effort, all PhantomJack applications found on the Microsoft Store were reported to Microsoft Security Intelligence for removal.
At the time of this writing, 16 PhantomJack applications were still active in the Microsoft Store. Trinity Cyber has reported them for takedown to Microsoft and has also reported the malicious use of the Trillion AdTech network through formal channels.