A Chinese digital marketer is to blame for the spread of malware called Fireball that reportedly has turned 250 million web browsers into ad-revenue generating “zombies” and infected 20 percent of corporate networks around the world.

The malware hijacks browsers and generates revenue for a Beijing-based digital marketing agency called Rafotech, said Check Point Software Technologies, which made the claim in a report published Thursday. Check Point calls this “possibly the largest infection operation in history,” and added that it can be turned into a distributor of any other malware family.

“Fireball has two main functions: the ability of running any code on victim computers–downloading any file or malware, and hijacking and manipulating infected users’ web-traffic to generate ad-revenue,” Check Point said. “Currently, Fireball installs plugins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware.”

Rafotech, according to researchers, is using Fireball to manipulate victims’ browsers to generate money via advertising. Rafotech denies any wrongdoing, Check Point said. Rafotech’s objective is to configure a target’s browser homepage and default search engine with a “fake search engine,” Check Point said. That search engine’s pages would also include tracking pixels, used to collect the users’ private information. User search queries are then redirected to Yahoo or Google.

“Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines, this creates a massive security flaw in targeted machines and networks,” researchers said.

According to Check Point, victims are infected with Fireball via stealth installs bundled with desirable Rafotech apps such as Deal Wifi, Mustang Browser, Soso Desktop and FVP Imageviewer. Additionally, it has been distributed via third-party freeware and spam campaigns.

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes,” Check Point wrote.

Researchers also suspect Rafotech has bought computer installs for Fireball from others known for their questionable download tactics. In what Check Point said was an example of such activity, it provided a screen shot of a solicitation by a user with a @rafotech.com email address on an advertising forum stating “Looking to Buy LOTS of Desktop PPI Traffic/Installs” adding “we are looking for massive volume installs.”

Rafotech’s distribution methods appear to be illegitimate and do not follow standard advertising criteria for it to be considered naïve or legal, researchers said. “The malware and the fake search engines don’t carry indicators connecting them to Rafotech, they cannot be uninstalled by an ordinary user, and they conceal their true nature,” they wrote.

Geographically hardest hit, so far, is India with 10 percent of infections, Brazil and Mexico; the United States represents 2.2 percent of infections.