Security experts have discovered social engineering ruse that leads to a malicious Google Chrome extension that lures victims in a click fraud campaign.

Researchers at TrendMicro believe the malware is spreading through malicious shortened Twitter links. Those lead victims to a site that automatically downloads the malicious browser extension (TROJ_DLOADE.DND), according to a recent blog post.

Posing as a Flash Player extension in order to evade detection, the malware circumvents Google’s security policy – which only allows extension installations hosted in the Chrome Web Store – by creating a folder in the browser’s directory where it drops “browser extension components.”

Once installed, if a user visits Facebook or Twitter, the extension prompts a specific site in the background that is written in Turkish, which researchers believe is part of a click fraud or redirection scheme.