How the New “Nigelthorn” Facebook Malware Works and How to Avoid It

Facebook is one of the Internet’s most famous social media sites, and it carries with it a wealth of personal information. In this new era where information is worth a lot of money, harvesting it en-masse can turn a tidy profit – whether that’s via legal ways or by less honourable means! Facebook has seen a lot of attacks in the past, but the recent attack, referred to as “Nigelthorn,” is particularly nasty for Chrome users.

How Nigelthorn Works

Nigelthorn attacks begin their life as a link to a fake YouTube page. When the user clicks it, they’ll see a fake video waiting to be played. Chrome will then inform the user that they have to install an extension in order to view it. If the user accepts this invite, they’ll end up installing the malware onto their PC.

Knowledgeable readers will wonder why Chrome would allow such a thing to happen, given how there’s security measures stopping malicious extensions from being installed. The method used by the attackers is the same reason it’s called “Nigelthorn” in the first place.


In order to dodge Chrome’s security checks, a legitimate and accepted extension is taken, and malicious code is implanted into it. This extension is then spread among the public. When a user gets a request to install the infected extension, it skips Chrome’s security check and allows it to be installed. The malware started its life infecting the “Nigelfy” extension which replaces pictures with that of the cartoon character “Nigel Thornberry.”

What Nigelthorn Does

Nigelthorn has a few nasty tricks up its sleeve. The include the following.

Stealing Data

Of course, being a Facebook extension, Nigelthorn will want to use the data available to its advantage. As such, users infected by Nigelthorn have their Facebook details havested and sent off by the malware to the developers.



Cryptomining has been a hot topic for malware developers, and Nigelthorn is no different! The malware will set a cryptomining program running on the victim’s computer to make the developers some extra money. One six-day window of Nigelthorn’s mining activity saw the developers make $1000 worth of cryptocurrency!

Spreading Itself

Facebook makes it very easy to share information, which malware developers use to their advantage. When a user is infected, the malware will try to spread itself via a link sent over Facebook Messenger or by tagging users in a text post. The infection process is the same, meaning that as long as users click the link and install the extension, the malware can keep replicating itself.

YouTube Manipulation


The code can also direct users to view, like, and subscribe to YouTube videos and channels. This is likely an attempt by the malware developers to gain revenue via YouTube by logging views from infected PCs.

Protecting Itself

Once the extension is installed, the malware will try its best to defend itself from being deleted. If the extensions panel is opened up, the malware will immediately close it again. Similarly, it will block the victim from Facebook and Chrome cleanup tools to better preserve itself.

Avoiding Infection

The best way to avoid being hit by NigelThorn is to not use Chrome. This malware only hits Chrome, so users using other browsers will be safe from this attack. But if a user continues to use Chrome, they should keep an eye out for fishy links on their Facebook page. If they find themselves on a YouTube video page that requires a strange-looking extension to view it, they should not install it under any circumstances!

If you have installed a NigelThorn-infected extension, it’s recommended you uninstall it, preferably via uninstalling Chrome itself if NigelThorn is denying you access to the extensions list. Also, change the password on your Facebook account in case it was stolen in the attack.

A Rose Has Its NigelThorns

While NigelThorn is a nasty piece of kit, it’s not totally unavoidable. Only Chrome users have anything to be concerned about, and even then, as long as you use the knowledge detailed above, you should never fall victim to this malicious attack that winds its way around Chrome’s security measures.

Have you witnessed NigelThorn on Facebook yourself? Let us know below.

Image credit: Bitcoin und britische Pfund

Simon Batt
Simon Batt

Simon Batt is a Computer Science graduate with a passion for cybersecurity.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox