This report discusses a widespread polymorphic malware campaign that forcefully installs malicious browser extensions on endpoints. The malware, originating from imitations of download websites, delivers various malicious payloads, including adware extensions, data stealing scripts, and commands to execute. It hijacks searches, redirects traffic, and has affected over 300,000 users across Google Chrome and Microsoft Edge. The malicious actors employ obfuscation techniques, leverage PowerShell scripts, and communicate with command-and-control servers to receive instructions and download additional malicious components.