Today > 1 Critical | 1 High | 4 Medium vulnerabilities   -   You can now download lists of IOCs here!

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Jan. 10, 2025, 8:44 a.m.

Tags
phishing
chrome extension
domain spoofing
2025-01-10
certificate rotation
External References
Description

A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.

Date

Published: Jan. 10, 2025, 4:34 a.m.

Created: Jan. 10, 2025, 4:34 a.m.

Modified: Jan. 10, 2025, 8:44 a.m.

Indicators

714936fff8b5a1fdfb793470a8b8bc0096dd1ffcf4ec2154826196b043f5ef69

www.remiwantnun.com

www.www333.online

www.checker.aethir.us

www.bonuspg77.online

yeowauto.skygst.net

wareinnovator.merseine.com

search.forbarai.com

vafera.rubrically.eu

stagingx.plutonile.com

ext.bardaiforchrome.live

p50.oldrosethisrosesaidthedoctorwasgiventomefiftyfiveyearsagobysyl.shop

google.forbarai.com

dev.jackblack.io

demo-3.wildwestgaming.net

check.aethir.us

bo.jackblack.io

chatgpt.forassistant.com

admin.www333.online

admin.tkv2.pro

api.bonuspg77.online

ytadblocker.com

zhgift.com

wildwestgaming.net

savegptforchrome.com

savegptforyou.live

plutonile.com

okta-onslove.com

moonsif.store

hb333.online

geminiforads.com

goodenhancerblocker.site

chatgptforsearch.com

auth-wisp-systems.com

api.cyberhaven.pro

youtubeadsblocker.live

wakelet.ink

vidnozflex.live

ultrablock.pro

tinamind.info

searchgptchat.info

searchcopilot.co

searchaiassitant.info

savgptforchrome.pro

savechatgpt.site

proxyswitchyomega.pro

pieadblock.pro

locallyext.ink

linewizeconnect.com

internetdownloadmanager.pro

gptdetector.live

geminiaigg.pro

gpt4summary.ink

fadblock.pro

extensionpolicyprivacy.com

extensionbuysell.com

cyberhavenext.pro

dearflip.pro

checkpolicy.site

chatgptextent.pro

blockforads.com

blockadsonyt.vip

bardaiforchrome.live

aiforgemini.com

adskiper.net

policyextension.info

Download all indicators here!

Attack Patterns

T1189

T1552

T1573

T1598

T1071

T1102

T1219

T1040

T1204

T1132

T1027

T1566

T1090

T1059

Additional Informations

Singapore

France

Germany

United States of America