Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Description

A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.