Security experts at Check Point have warned about a nasty piece of Chinese malware that has infected at least 250 million computers worldwide.

The malware hijacks browsers and generates revenue for a Beijing-based digital marketing agency called Rafotech, said Check Point Software Technologies, which made the claim in a report published Thursday. Several of the researchers’ findings point to some of these companies working together to distribute the malware for a broader reach.

Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but can just as easily turn into a prominent distributor for any additional malware.

“This redirects the queries to either yahoo.com or Google.com”, wrote Check Point. That search engine’s pages would also include tracking pixels, used to collect the users’ private information.

Fireball is also capable of spying on its victims and execute malicious code, which creates a massive security flaw in targeted networks.

First discovered by cybersecurity firm Check Point Threat Intelligence, the browser-hijacking malware attack of Chinese origin has reportedly spread to 20 percent of corporate computer networks.

The most affected countries are India (25.3 million infections – 10.1%), Brazil (24.1 million – 9.6%), Mexico (16.1 million – 6.4%), and Indonesia (13.1 million – 5.2%). While the USA was on the low end at 2.2 percent, it still witnessed 5.5 million hits.

The way Fireball is spread is via bundling alongside other free Rafotech products such as Deal Wifi and Mustang Browser.

Though web tracking software isn’t unusual, CheckPoint notes that Rafotech’s browser extension allows the marketing firm – and potentially any third-party – to install programs of their choice on the user’s computer. “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they can not be uninstalled by an ordinary user, and they hide their true nature”, they wrote.

Rafotech carefully walks along the edge of legitimacy, knowing that adware distribution is not considered a crime like malware distribution is.

“Although Rafotech uses Fireball only for advertising and initiating traffic to its fake search engines, it can perform any action on the victims’ machines These actions can have serious consequences”.

Check Point said that Fireball is highly sophisticated and and utilises “quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C”. The first is by taking over a computer’s web browser and turning it into an ad-clicking machine by opening up web pages owned by the attackers and automatically clicking through on ads on the page to generate revenue. Fireball can be removed from PCs by uninstalling the adware using the Programs and Features list in the Windows Control Panel, or using Mac Finder function in the Applications folder on Macs.