A staggering 250 million computers around the world are infected by a browser hijacker that can be turned into a fully-fledged malware downloader, researchers say.
Security vendor Check Point identified Beijing-based digital marketing agency Rafotech, or RAFO Technology, as being behind the Fireball malware, which changes users' browser home pages and search engine settings to fake sites.
Fireball can also track users, capture their private data, and run arbitrary code on their computers, Check Point said.
While most Fireball infections are found in India and Brazil, the malware has also been identified in Australia and New Zealand.
Check Point's telemetry points to a fifth of all the corporate networks monitored by the security vendor as being infected by Fireball globally.
Users have been complaining about the Rafotech browser hijacker since 2015.
Fireball is bundled with Rafotech products such as Deal Wifi and Mustang Browser, and is also being shipped by other freeware distributors.
Check Point said the Fireball browser hijacking campaign is possibly the largest in history with a quarter of a billion affected systems - making it an immense threat.
"We believe that although this is not a typical malware attack campaign, it has the potential to cause irreversible damage to its victims as well as worldwide internet users," the security vendor said.