Fake Chrome Update Virus: Terminal Opened

Brendan Smith
Brendan Smith - Cybersecurity Analyst
5 Min Read
Fake Chrome update pop-up connected to an opened terminal warning
Fake Chrome update pop-up connected to an opened terminal warning

A fake Chrome update virus is a scam page that pretends Chrome needs an urgent update, then pushes you toward running a command, downloading a file, or allowing a fake fix. If a browser page opened Terminal, Command Prompt, PowerShell, or typed something by itself, treat it as a malware incident, not as a normal Chrome update.

Fake update lures can also deliver files that are not what they appear to be; the sysupdate.jpeg malware guide explains one fake-image chain that installs remote access through ScreenConnect. sysupdate.jpeg malware cleanup guide.

First checks after a fake Chrome update opened Terminal

  • Disconnect from the internet if a command is still running or new windows keep appearing.
  • Do not copy, paste, or rerun the command. Do not close the evidence before noting what happened.
  • Scan the PC fully and check startup entries, scheduled tasks, browser extensions, and recent downloads.
  • Change passwords from a clean device if any script, installer, or command executed.
Threat type Fake update / ClickFix-style social engineering / script malware
Common signs Fake Chrome relaunch/update message, loud alert, terminal opened, command typed, PowerShell or CMD activity
Main risk Infostealer, remote script, browser hijacker, token theft, account compromise
Safe action Stop the command, scan the device, secure accounts from a clean device, and remove persistence.

What probably happened?

Chrome updates do not require a random website to open Windows Terminal, PowerShell, Command Prompt, or Run. Real Chrome updates happen through Chrome’s own updater or through your managed company software. A recipe site, download page, streaming page, or pop-up cannot legitimately update Chrome by typing commands into your system.

Microsoft has documented ClickFix-style attacks where a page convinces users to paste or run commands in Windows tools [1]. Some fake-fix pages also try to place a command on the clipboard or guide the user through a keyboard sequence. The visible story may be “Chrome update”, “browser crash”, “verification”, or “fix this error”; the real goal is to run attacker-controlled code.

First steps if the command ran

  1. Disconnect from Wi-Fi or unplug Ethernet if the script is still active.
  2. Take a photo of any visible command, file path, domain, or error message.
  3. Close the browser and Terminal/PowerShell windows.
  4. Do not restore the same browser session.
  5. Run a full scan with GridinSoft Anti-Malware, then reboot and scan again if the terminal, browser pop-up, or alert returns.
  6. Check Task Scheduler, Startup Apps, Services, browser extensions, and recently downloaded files. If a same-name Windows process appears from a user folder, compare it with the dllhost.exe COM Surrogate safety guide.
  7. Change email, Microsoft/Google, banking, crypto, Discord, and work passwords from a clean device if the command executed.

Fake update and ClickFix chains may call mshta.exe as the next-stage host. If blank mshta.exe windows keep appearing after the browser is closed, follow the mshta.exe blank-window cleanup steps as well.

If the command ran, the browser page may be only the visible launcher. A loader can leave a scheduled task, service, startup entry, browser policy, extension, or downloaded script that reopens PowerShell or Command Prompt after reboot. After the manual checks above, use a Gridinsoft Anti-Malware scan to look for hidden files, persistence entries, browser changes, and bundled payloads instead of assuming the closed tab was the whole incident.

Check suspicious process lookalikes and startup sources.

If the process path is wrong, the name imitates a Windows component, or high CPU started after an unknown installer, scan for hidden miners, services, startup entries, and bundled components.

Scan for fake update leftovers

Some fake update pages do not start with a command at all; they push a ZIP first. If the page automatically saved an archive such as Updater_v3.3.zip, use the Itchupd.pages.dev fake updater ZIP cleanup guide before opening or extracting the file.

If the page looked more like a fake verification or CAPTCHA than a Chrome updater, use the fake CAPTCHA ClickFix cleanup guide for that exact “I ran the command” path. If PowerShell opens again on startup or your firewall reports outbound PowerShell traffic later, compare the persistence checks with the PowerShell startup and outbound-connection guide.

What to check after a fake update command

PowerShell history Recent commands that downloaded or executed remote content.
Downloads and Temp Unknown EXE, MSI, JS, VBS, BAT, CMD, PS1, ZIP, or random-name files.
Task Scheduler New tasks that launch PowerShell, CMD, mshta, wscript, browser, or unknown files.
Browser New extensions, notification permissions, changed search/homepage, managed policies.
Accounts New sign-ins, recovery changes, Discord spam, email forwarding rules, OAuth apps.

If this happened on a company laptop

Stop using the device for work accounts and tell your IT/security team as soon as possible. Do not try to hide the event by deleting logs. The useful details are the website, time, command window, files created, and any alerts. If the company uses endpoint protection, they may need to isolate the device and collect logs.

How real Chrome updates work

Real Chrome updates do not ask you to install a random file from an unrelated website. Google documents Chrome updates through Chrome settings and normal update prompts [2]. If a page outside Chrome settings says “Chrome update required” and then asks you to run a command, close it.

FAQ

Can a website really open PowerShell by itself?

A normal website should not silently control PowerShell, but social-engineering pages can trick users into running commands or abuse browser/system prompts. Treat unexpected terminal activity as suspicious.

Is turning off the laptop enough?

No. It may stop the current command, but dropped files, scheduled tasks, or stolen sessions may remain. Scan and secure accounts.

Should I change passwords immediately?

Use a clean device first. Changing passwords on a still-infected PC can expose the new credentials.

Was Chrome itself infected?

Usually the page is fake, not Chrome. Still check extensions, notification permissions, and managed policies after cleanup.

References

  1. Microsoft Security. “Think before you Click(Fix): analyzing the ClickFix social engineering technique.” Microsoft Security Blog, August 21, 2025. https://www.microsoft.com/en-us/security/blog/2025/08/21/think-before-you-clickfix-analyzing-the-clickfix-social-engineering-technique/
  2. Google Chrome Help. “Update Google Chrome.” Google, accessed July 7, 2026. https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?