Hidden Threats of Dual-Function Malware Found in Chrome Extensions

May 21, 2025, 10:32 p.m.

Description

An unknown threat actor has been creating malicious Chrome browser extensions since February 2024, using fake websites to lure users into installing them. These extensions have dual functionality, appearing to work as intended while also connecting to malicious servers to steal user data and execute arbitrary code. The extensions request excessive permissions and use various techniques to bypass security measures. They communicate with actor-controlled API domains, sending encrypted system information and receiving dynamic rules and code. The malicious activities include cookie theft, traffic manipulation, and potential account compromises. Over 100 fake websites and extensions have been deployed, exploiting current trends to attract users. The Chrome Web Store has removed some extensions, but the actor's persistence poses an ongoing threat to users seeking productivity tools and browser enhancements.

External References

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DualFunction-Malware-Chrome-Extensions
https://dti.domaintools.com/dual-function-malware-chrome-extensions
https://otx.alienvault.com/pulse/682dfaa431bd4e9a598464cc
Tags
data theft
code execution
2025-05-21
traffic manipulation
lure websites
chrome extensions
api endpoints

Date

  • Created: May 21, 2025, 4:09 p.m.
  • Published: May 21, 2025, 4:09 p.m.
  • Modified: May 21, 2025, 10:32 p.m.

Indicators

  • api.zorpleflux.top
  • api.sprocketwhirl.top
  • api.infograph.top
  • api.glimmerbloop.top
  • zorpleflux.top
  • zingleflap.top
  • youtube-vision.world
  • youtube-vision.com
  • x-theme.world
  • wtigroups.com
  • wti-analytics.com
  • workfront-plus.com
  • wobbleguff.top
  • wobblefizz.top
  • wibblywob.top
  • whale-alerts.org
  • whale-alert.life
  • webwatch.world
  • webinsight.world
  • web-metrics.link
  • web-analytics.top
  • twizzleflap.top
  • twin-web.world
  • squirrel-wallet.world
  • spylens.world
  • sprocketwhirl.top
  • spaceball.top
  • soul-vpn.com
  • snogglewomp.top
  • snickerdoodle.top
  • sitestats.world
  • similar-net.com
  • siteanalyzer.world
  • safesurf.world
  • raccoon-vpn.world
  • quizzlepuff.top
  • quirkleblip.top
  • privacy-shield.world
  • orchid-vpn.com
  • meta-spy365.com
  • noodlequack.top
  • meta-spy.help
  • meta-guests.com
  • manusai.sbs
  • madgicxads.world
  • madgicx-plus.com
  • lockads.org
  • jumblefizz.top
  • jibberjot.top
  • irontunnel.world
  • iron-tunnel.com
  • ioonline.top
  • iospace.top
  • iohub.sbs
  • iochange.top
  • infosync.top
  • ioapp.sbs
  • infonet.sbs
  • infograph.top
  • glimmerbloop.top
  • fortivnp.com
  • forti-vpn.com
  • floopdoodle.top
  • flight-radar.life
  • flibberwump.top
  • fizzlepopcorn.top
  • eventphere.com
  • earthvpn.top
  • e-xt.top
  • digigtalwow.top
  • digigtalneo.top
  • deepseek-ai.link
  • debank.sbs
  • debank.click
  • debank-extension.world
  • datazen.sbs
  • datavibe.sbs
  • cryptowhalesvision.world
  • crypto-whale.top
  • crypto-whale.info
  • creativepeek.world
  • creativehunter.world
  • cookie-whitelist.com
  • calendlydocker.com
  • calendlydaily.world
  • calendly-director.com
  • blurflewhack.top
  • analytics-box.world
  • amlsector.com
  • aml-sector.world
  • adtwin.world
  • adelephant.world
  • addetective.world
  • ad-vision.top
  • ad-vision.click
  • ad-spy.world
  • ad-seeker.world
  • ad-scope.world
  • ad-guardian.world
  • ad-eye.help
Download all indicators here!

Attack Patterns