A few minutes ago I clicked a link to an article and I noticed something fishy. The new site attempted to automatically redirect my browser to this: This piece of garbage phishing page didn't even wait for me to be suckered by their super-convincing download link, and used a setTimeout() call to try to force my browser to download something called `9901224839027/1469890408944162/chrome_patch.hta`. Here is chrome_patch.hta as it is seen in the wild: And here is chrome_patch.hta after we apply deobfuscation 101: As you can see, chrome_patch.hta downloads a .dat fie `17/524.dat` and creates an executable `g2924808f66985de3a9ad1e3d743e0d.exe` before providing victims with a reassuring "Update completed" window. I've been seeing similar versions of this same method to force users to swallow the 524.dat payload, like this: I've found some complaints as ...