{"id":232785,"date":"2026-07-07T03:55:29","date_gmt":"2026-07-07T10:55:29","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=232785"},"modified":"2026-07-07T03:55:29","modified_gmt":"2026-07-07T10:55:29","slug":"crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/","title":{"rendered":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#8217;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb"},"content":{"rendered":"<p style=\"text-align: center;\"><em>Auteur\u00a0: Neil Tyagi<\/em><\/p>\n<h2><b><span data-contrast=\"none\">R\u00e9sum\u00e9<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">L&#8217;\u00e9quipe McAfee Advanced Threat Research a identifi\u00e9 <strong>une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies en rempla\u00e7ant discr\u00e8tement les adresses de portefeuilles d\u00e8s qu&#8217;un utilisateur lance une transaction<\/strong>. La campagne s&#8217;appuie sur des programmes d&#8217;installation non sign\u00e9s \u2014 observ\u00e9s aussi bien dans des variantes .NET que Golang \u2014 qui d\u00e9ploient une extension Chromium malveillante se faisant passer pour un utilitaire \u00ab Google Notes \u00bb inoffensif.<\/span><\/p>\n<p><span data-contrast=\"auto\">Cette campagne est li\u00e9e \u00e0 un article de blog publi\u00e9 pr\u00e9c\u00e9demment par McAfee Labs,<\/span> intitul\u00e9 \u00ab\u00a0<a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"><i><span data-contrast=\"none\">Sinkholing CountLoader: Insights into Its Recent Campaign<\/span><\/i><span data-contrast=\"none\">\u00a0\u00bb,<\/span><\/a><span data-contrast=\"auto\"> \u00e9tant donn\u00e9 que le m\u00eame cybercriminel semble \u00eatre derri\u00e8re<\/span><span data-contrast=\"auto\"> ces deux<\/span><span data-contrast=\"auto\"> op\u00e9rations<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\"> Lors de cette \u00e9tude ant\u00e9rieure, nous avons analys\u00e9 une charge virale de type \u00ab\u00a0crypto clipper\u00a0\u00bb qui avait \u00e9t\u00e9 inject\u00e9e directement dans la m\u00e9moire. Nous examinons ici une autre variante de la charge virale de la phase finale\u00a0: une extension malveillante pour navigateur con\u00e7ue pour intercepter et manipuler les transactions en cryptomonnaie.<\/span><\/p>\n<p><span data-contrast=\"auto\">Dans ce rapport, nous expliquons en d\u00e9tail le fonctionnement de cette extension et proposons une analyse technique des m\u00e9canismes qui conf\u00e8rent \u00e0 cette menace un caract\u00e8re particuli\u00e8rement singulier. Cette extension fonctionne comme un crypto clipper ciblant le presse-papiers : elle surveille les op\u00e9rations de copier-coller, identifie les adresses de portefeuilles \u00e0 travers plusieurs cha\u00eenes de blocs et les remplace par des adresses contr\u00f4l\u00e9es par le cybercriminel juste avant que la victime ne colle le contenu. La plupart des transactions sur la cha\u00eene de blocs \u00e9tant irr\u00e9versibles, une seule ex\u00e9cution sans interruption peut entra\u00eener des pertes financi\u00e8res irr\u00e9m\u00e9diables.<\/span><\/p>\n<p><span data-contrast=\"auto\">Deux caract\u00e9ristiques distinguent cette campagne des menaces habituelles li\u00e9es aux clippers\u00a0:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ol>\n<li><b><span data-contrast=\"auto\">Exploitation de la couche de confiance de Chromium.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">Le programme d&#8217;installation installe \u00e0 votre insu une extension malveillante dans les navigateurs bas\u00e9s sur Chromium, tels que Google Chrome, Brave et Microsoft Edge, en modifiant les fichiers de param\u00e8tres prot\u00e9g\u00e9s du navigateur. En r\u00e8gle g\u00e9n\u00e9rale, ces navigateurs stockent des donn\u00e9es de v\u00e9rification de s\u00e9curit\u00e9 (valeurs de hachage\/HMAC) aux c\u00f4t\u00e9s des param\u00e8tres sensibles afin de d\u00e9tecter toute modification non autoris\u00e9e<\/span><b><span data-contrast=\"auto\">.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">Le logiciel malveillant recalcule et met \u00e0 jour ces valeurs de s\u00e9curit\u00e9 apr\u00e8s avoir alt\u00e9r\u00e9 les fichiers, ce qui induit le navigateur en erreur en lui faisant croire que l&#8217;extension malveillante a \u00e9t\u00e9 install\u00e9e en toute l\u00e9gitimit\u00e9. L&#8217;extension peut ainsi contourner la proc\u00e9dure normale d&#8217;installation via la boutique en ligne des extensions et se charger en arri\u00e8re-plan sans l&#8217;accord de l&#8217;utilisateur. Si, pour les versions r\u00e9centes des navigateurs Chrome et Edge, la victime doit activer manuellement le mode d\u00e9veloppeur pour que l&#8217;extension se charge correctement, les utilisateurs disposant de versions obsol\u00e8tes de navigateurs bas\u00e9s sur Chromium restent en revanche expos\u00e9s \u00e0 un risque \u00e9lev\u00e9. De plus, m\u00eame dans les versions les plus r\u00e9centes, un cybercriminel peut toujours recourir \u00e0 des techniques d&#8217;ing\u00e9nierie sociale pour activer le mode d\u00e9veloppeur.<\/span><\/li>\n<li><span data-contrast=\"auto\"><strong>Syst\u00e8me de commande et de contr\u00f4le bas\u00e9 sur la cha\u00eene de blocs<\/strong>. L&#8217;extension ne contient pas de domaine C2 cod\u00e9 en dur. Au lieu de cela, elle interroge un endpoint RPC de la cha\u00eene de blocs publique, appelle une m\u00e9thode de contrat intelligent en lecture seule, puis d\u00e9code la r\u00e9ponse lors de l&#8217;ex\u00e9cution afin de r\u00e9v\u00e9ler son serveur de commande et de contr\u00f4le (C2) actif, identifi\u00e9 au moment de l&#8217;analyse comme \u00e9tant <\/span><span data-contrast=\"none\">Zebregts[.]com.<\/span> <span data-contrast=\"auto\">Cette technique, souvent appel\u00e9e <strong>\u00ab\u00a0EtherHiding\u00a0\u00bb, <\/strong>complique les efforts de mise hors service, car le cybercriminel peut faire tourner son infrastructure en mettant \u00e0 jour la valeur d&#8217;un contrat intelligent plut\u00f4t qu&#8217;en red\u00e9ployant le logiciel malveillant.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span class=\"TextRun SCXW228011278 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW228011278 BCX0\">Les donn\u00e9es t\u00e9l\u00e9m\u00e9triques de McAfee <\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">indiquent<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\"> une propagation de l&#8217;infection \u00e0 l&#8217;\u00e9chelle mondiale, avec une concentration marqu\u00e9e en Inde. L&#8217;\u00e9tendue g\u00e9ographique de ces activit\u00e9s laisse supposer <\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW228011278 BCX0\">un ciblage<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\"> opportuniste des utilisateurs de cryptomonnaies \u00e0 des fins de consommation, plut\u00f4t qu&#8217;une op\u00e9ration sp\u00e9cifique \u00e0 une r\u00e9gion donn\u00e9e.<\/span><\/span><span class=\"EOP Selected SCXW228011278 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW20172865 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW20172865 BCX0\" data-ccp-parastyle=\"heading 2\">R\u00e9partition g\u00e9ographique<\/span><\/span><span class=\"EOP Selected SCXW20172865 BCX0\" data-ccp-props=\"{\">\u00a0\u00a0<\/span><\/h2>\n<figure id=\"attachment_231885\" aria-describedby=\"caption-attachment-231885\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231885\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png\" alt=\"Carte du monde montrant les pays touch\u00e9s par cette menace de cybers\u00e9curit\u00e9\" width=\"1024\" height=\"574\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-300x168.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-768x431.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-205x115.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM.png 1462w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231885\" class=\"wp-caption-text\">Nos recherches montrent que ce sont l\u00e0 les r\u00e9gions du monde les plus touch\u00e9es.<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">L&#8217;analyse des donn\u00e9es t\u00e9l\u00e9m\u00e9triques <\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">indique<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\"> que <\/span><\/span><strong><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">les infections sont r\u00e9parties \u00e0 l&#8217;\u00e9chelle mondiale<\/span><\/span><\/strong><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">, avec une <\/span><\/span><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">concentration nettement plus \u00e9lev\u00e9e <\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">observ\u00e9e<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\"> en Inde<\/span><\/span><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\"> par rapport aux autres r\u00e9gions.<\/span><\/span><\/p>\n<p><span class=\"TextRun SCXW109407542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW109407542 BCX0\">Cette pr\u00e9sence g\u00e9ographique \u00e9tendue met en \u00e9vidence la large port\u00e9e de la campagne, ce qui laisse supposer un ciblage opportuniste plut\u00f4t qu&#8217;une attaque visant une r\u00e9gion en particulier.<\/span><\/span><span class=\"EOP Selected SCXW109407542 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW34834531 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW34834531 BCX0\" data-ccp-parastyle=\"heading 2\">L&#8217;extension malveillante\u00a0: \u00ab\u00a0Google Notes\u00a0\u00bb<\/span><\/span><span class=\"EOP Selected SCXW34834531 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW148697599 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW148697599 BCX0\">Ce logiciel malveillant se fait passer pour une extension Google Notes <\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">en apparence inoffensive<\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">.<\/span><\/span><span class=\"EOP Selected SCXW148697599 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231900\" aria-describedby=\"caption-attachment-231900\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231900\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png\" alt=\"Lextension malveillante de Google Chrome.\" width=\"1024\" height=\"818\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-300x240.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-768x614.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1536x1228.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-161x129.png 161w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM.png 1554w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231900\" class=\"wp-caption-text\"><em>Figure 1. Cette image montre l&#8217;extension malveillante au c\u0153ur de cette campagne.<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">L&#8217;extension d\u00e9ploy\u00e9e se pr\u00e9sente sous la forme d&#8217;une application de prise de notes minimaliste et d&#8217;apparence l\u00e9gitime, baptis\u00e9e \u00ab Google Notes \u00bb, dot\u00e9e d&#8217;une ic\u00f4ne \u00e9pur\u00e9e et d&#8217;une interface utilisateur fonctionnelle (et simpliste).<\/span><\/p>\n<p><span data-contrast=\"auto\">La strat\u00e9gie est bien pens\u00e9e\u00a0: lorsqu&#8217;un utilisateur ouvre manuellement l&#8217;extension, il constate que celle-ci fonctionne conform\u00e9ment \u00e0 ce qui est annonc\u00e9, ce qui dissipe ses soup\u00e7ons. La logique malveillante de l&#8217;extension est impl\u00e9ment\u00e9e dans des scripts de type \u00ab\u00a0service worker\u00a0\u00bb et des scripts de contenu qui s&#8217;ex\u00e9cutent en arri\u00e8re-plan et qui fonctionnent enti\u00e8rement hors de la vue de l&#8217;interface utilisateur.<\/span><\/p>\n<p><b><span data-contrast=\"auto\">Un premier signal d&#8217;alerte majeur appara\u00eet d\u00e8s l&#8217;installation de l&#8217;extension, qui demande des autorisations de <\/span><\/b><b><span data-contrast=\"auto\">s\u00e9curit\u00e9<\/span><\/b><b><\/b><b><span data-contrast=\"auto\"> et des<\/span><\/b><b><span data-contrast=\"auto\"> droits d&#8217;acc\u00e8s <\/span><\/b><b><span data-contrast=\"auto\">disproportionn\u00e9s par rapport \u00e0 une <\/span><\/b><b><span data-contrast=\"auto\">application<\/span><\/b><b><span data-contrast=\"auto\"> de prise de notes <\/span><\/b><strong>classique\u00a0:<\/strong><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Acc\u00e8s \u00e0 toutes les URL, permettant l&#8217;injection de scripts dans chaque site consult\u00e9 par l&#8217;utilisateur<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Acc\u00e8s \u00e0 l&#8217;historique de navigation<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Acc\u00e8s en lecture et en \u00e9criture au presse-papiers<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Mesures d&#8217;att\u00e9nuation et recommandations<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Pour les particuliers<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ol>\n<li><span data-contrast=\"auto\">Avant de valider toute transaction en cryptomonnaie, <\/span><b><span data-contrast=\"auto\">v\u00e9rifiez visuellement les six premiers et les six derniers caract\u00e8res de l&#8217;adresse du destinataire<\/span><\/b><span data-contrast=\"auto\"> en les comparant \u00e0 la source\u00a0\u2014 de pr\u00e9f\u00e9rence sur un appareil distinct.\u00a0Cette simple habitude permet de faire \u00e9chouer la grande majorit\u00e9 des attaques de clipper.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Installez des extensions de navigateur exclusivement \u00e0 partir du Chrome Web Store officiel<\/span><\/b><span data-contrast=\"auto\">, de la boutique d&#8217;extensions Edge ou d&#8217;une boutique \u00e9quivalente. Une extension qui figure dans votre liste d&#8217;extensions install\u00e9es sans que vous ayez souvenir de l&#8217;avoir install\u00e9e doit \u00eatre consid\u00e9r\u00e9e comme suspecte.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">V\u00e9rifiez les autorisations accord\u00e9es \u00e0 chaque extension install\u00e9e<\/span><\/b><span data-contrast=\"auto\">. Un outil de prise de notes n&#8217;a aucune raison valable d&#8217;acc\u00e9der \u00e0 l&#8217;ensemble des sites Web, \u00e0 l&#8217;historique de navigation ou au presse-papiers.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">\u00c9vitez d&#8217;ex\u00e9cuter des fichiers ex\u00e9cutables non sign\u00e9s <\/span><\/b><span data-contrast=\"auto\">provenant de sources non fiables, en particulier celles proposant des versions gratuites ou pirat\u00e9es de logiciels payants\u00a0\u2014 un vecteur de distribution courant pour ce type de programme d&#8217;installation.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Assurez-vous que la protection des terminaux est \u00e0 jour et activ\u00e9e<\/span><\/b><span data-contrast=\"auto\">\u00a0; les clients McAfee sont prot\u00e9g\u00e9s contre cette campagne sp\u00e9cifique, comme expliqu\u00e9 ci-dessous.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ol>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Les solutions de s\u00e9curit\u00e9 McAfee contribuent \u00e0 prot\u00e9ger les utilisateurs \u00e0 plusieurs niveaux\u00a0:<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<h4><b><span data-contrast=\"auto\">1. McAfee d\u00e9tecte cette menace sous le nom de CryptoStealer.NE et assure la s\u00e9curit\u00e9 de ses clients<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h4>\n<figure id=\"attachment_231915\" aria-describedby=\"caption-attachment-231915\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-231915\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png\" alt=\"Figure\u00a02. Cette capture d\u00e9cran montre comment McAfee Antivirus bloque cette menace pour les particuliers. \" width=\"1024\" height=\"513\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-300x150.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-768x385.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1536x770.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-205x103.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM.png 1608w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231915\" class=\"wp-caption-text\"><em>Figure\u00a02. Cette capture d&#8217;\u00e9cran montre comment McAfee Antivirus bloque cette menace pour les particuliers.<\/em><\/figcaption><\/figure>\n<h4><b><span data-contrast=\"auto\">2. Protection contre les t\u00e9l\u00e9chargements malveillants<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Le comportement du programme d&#8217;installation\u00a0\u2014 qui t\u00e9l\u00e9charge et ex\u00e9cute des charges virales \u00e0 distance\u00a0\u2014 est d\u00e9tect\u00e9 et bloqu\u00e9 par McAfee avant que l&#8217;infection ne soit effective.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Lors de nos tests, tous les domaines et URL malveillants ont \u00e9t\u00e9 bloqu\u00e9s par McAfee.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">3. Protection du r\u00e9seau<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Les connexions \u00e0 des infrastructures malveillantes connues (serveurs C2) sont bloqu\u00e9es par McAfee, ce qui emp\u00eache la r\u00e9cup\u00e9ration des adresses de portefeuilles<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">4. Renseignements en temps r\u00e9el sur les menaces<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Cette menace ayant \u00e9t\u00e9 identifi\u00e9e dans les donn\u00e9es t\u00e9l\u00e9m\u00e9triques de McAfee, des mesures de protection peuvent \u00eatre rapidement mises en place pour\u00a0:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Bloquer les variantes similaires<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">D\u00e9tecter les infrastructures associ\u00e9es<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Prot\u00e9ger les clients dans le monde entier<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h1><span class=\"TextRun SCXW230324404 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW230324404 BCX0\" data-ccp-parastyle=\"heading 1\">Fonctionnement de cette campagne malveillante<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW230324404 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h1>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Ce que fait le logiciel malveillant\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<ol>\n<li><span data-contrast=\"auto\">Il installe une <\/span><span data-contrast=\"auto\">extension de navigateur \u00e0 votre insu (chargement lat\u00e9ral d&#8217;une extension Web).<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il surveille ce que vous copiez et collez (en particulier les adresses cryptographiques).<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il s&#8217;ex\u00e9cute lorsque vous effectuez une transaction cryptographique.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il remplace discr\u00e8tement l&#8217;adresse du portefeuille par celle du cybercriminel.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Vos fonds sont transf\u00e9r\u00e9s au cybercriminel au lieu d&#8217;\u00eatre vers\u00e9s au destinataire pr\u00e9vu.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">Les transactions en cryptomonnaie \u00e9tant g\u00e9n\u00e9ralement <\/span><b><span data-contrast=\"auto\">irr\u00e9versibles<\/span><\/b><span data-contrast=\"auto\">, <strong>les victimes risquent de perdre d\u00e9finitivement leurs fonds.<\/strong><\/span><\/p>\n<figure id=\"attachment_231930\" aria-describedby=\"caption-attachment-231930\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231930\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png\" alt=\"Figure\u00a03. Fonctionnement synth\u00e9tis\u00e9 de lextension \" width=\"1024\" height=\"849\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-300x249.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-768x637.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-156x129.png 156w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM.png 1414w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231930\" class=\"wp-caption-text\"><em>Figure\u00a03. Fonctionnement synth\u00e9tis\u00e9 de l&#8217;extension<\/em><\/figcaption><\/figure>\n<h2><span class=\"TextRun SCXW178309168 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW178309168 BCX0\" data-ccp-parastyle=\"heading 2\">Principales capacit\u00e9s identifi\u00e9es<\/span><\/span><span class=\"EOP Selected SCXW178309168 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<h3><span class=\"TextRun MacChromeBold SCXW263237166 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW263237166 BCX0\">1. Installation silencieuse d&#8217;une extension<\/span><\/span><span class=\"EOP Selected SCXW263237166 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">Ce logiciel malveillant n&#8217;utilise pas la boutique officielle du navigateur. Au lieu de cela, il modifie directement les fichiers du navigateur pour donner l&#8217;impression que l&#8217;extension est install\u00e9e (chargement lat\u00e9ral de l&#8217;extension de navigateur).<\/span><\/p>\n<p><span data-contrast=\"auto\">Cette m\u00e9thode contourne les invites de s\u00e9curit\u00e9 habituelles et \u00e9chappe \u00e0 la vigilance de l&#8217;utilisateur.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231945\" aria-describedby=\"caption-attachment-231945\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231945\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png\" alt=\"Figure\u00a04. Journaux Procmon montrant que BaseZipInstaller (le programme dinstallation Web malveillant) \u00e9crit dans les fichiers Secure Preferences de Chrome et dEdge \" width=\"1024\" height=\"200\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-300x59.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-768x150.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1536x300.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-205x40.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM.png 1576w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231945\" class=\"wp-caption-text\"><em>Figure\u00a04. Journaux Procmon montrant que BaseZipInstaller (le programme d&#8217;installation Web malveillant) \u00e9crit dans les fichiers Secure Preferences de Chrome et d&#8217;Edge<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun MacChromeBold SCXW45645796 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW45645796 BCX0\">2. Acc\u00e8s complet au navigateur<\/span><\/span><span class=\"EOP Selected SCXW45645796 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_231962\" aria-describedby=\"caption-attachment-231962\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231962\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png\" alt=\"Figure\u00a05. Autorisations requises pour lextension Chrome \" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM.png 1184w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231962\" class=\"wp-caption-text\"><em>Figure\u00a05. Autorisations requises pour l&#8217;extension Chrome<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_231977\" aria-describedby=\"caption-attachment-231977\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231977\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png\" alt=\"Figure\u00a06. Fichier manifest de lextension Web \" width=\"1024\" height=\"544\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-300x160.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-768x408.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1536x817.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-205x109.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM.png 1610w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231977\" class=\"wp-caption-text\"><em>Figure\u00a06. Fichier manifest de l&#8217;extension Web<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">L&#8217;extension malveillante demande des autorisations excessives, telles que\u00a0:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Acc\u00e8s \u00e0 tous les sites Web<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Consultation de l&#8217;historique de navigation<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Lecture et modification du contenu du presse-papiers<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><b><span data-contrast=\"auto\">3. Interception d&#8217;adresses cryptographiques<\/span><\/b><\/h3>\n<p><span data-contrast=\"auto\">L&#8217;extension int\u00e8gre une logique permettant de d\u00e9tecter les adresses de portefeuilles pour plusieurs cryptomonnaies, notamment\u00a0:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231992\" aria-describedby=\"caption-attachment-231992\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231992\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png\" alt=\"Figure\u00a07. Expression r\u00e9guli\u00e8re (Regex) de cryptomonnaies cod\u00e9es en dur et adresse de secours\" width=\"1024\" height=\"357\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-300x104.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-768x268.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1536x535.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM.png 1602w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231992\" class=\"wp-caption-text\"><em>Figure\u00a07. Expressions r\u00e9guli\u00e8res (Regex) de cryptomonnaies cod\u00e9es en dur et adresse de secours<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Les adresses de portefeuille de secours indiqu\u00e9es dans le code ne sont pas utilis\u00e9es pour toutes les transactions\u00a0; elles servent plut\u00f4t de m\u00e9canisme de secours lorsque la r\u00e9cup\u00e9ration dynamique d&#8217;adresses \u00e0 partir du serveur contr\u00f4l\u00e9 par le cybercriminel \u00e9choue.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Dans des conditions normales de fonctionnement, l&#8217;extension r\u00e9cup\u00e8re des adresses de remplacement aupr\u00e8s d&#8217;un serveur distant, ce qui permet une attribution dynamique des portefeuilles, \u00e9ventuellement sp\u00e9cifique \u00e0 chaque victime.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Les adresses de secours permettent \u00e0 l&#8217;attaque de rester fonctionnelle m\u00eame si l&#8217;infrastructure de commande et de contr\u00f4le est temporairement indisponible ou bloqu\u00e9e.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232007\" aria-describedby=\"caption-attachment-232007\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232007\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png\" alt=\"Figure\u00a08. Extension malveillante ex\u00e9cutant une r\u00e9solution dynamique dadresses cryptographiques \" width=\"1024\" height=\"259\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1536x389.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232007\" class=\"wp-caption-text\"><em>Figure\u00a08. Extension malveillante ex\u00e9cutant une r\u00e9solution dynamique d&#8217;adresses cryptographiques<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Cette fonction a pour r\u00f4le d&#8217;obtenir l&#8217;adresse de portefeuille de remplacement contr\u00f4l\u00e9e par le cybercriminel qui correspond \u00e0 l&#8217;adresse d&#8217;origine de la victime.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Elle envoie l&#8217;adresse de portefeuille intercept\u00e9e au serveur dorsal du cybercriminel et utilise la r\u00e9ponse pour remplacer dynamiquement l&#8217;adresse d&#8217;origine.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Si la requ\u00eate vers le serveur dorsal \u00e9choue, la fonction se rabat sur une adresse de portefeuille pr\u00e9d\u00e9finie et cod\u00e9e en dur, de fa\u00e7on \u00e0 \u00e9viter toute interruption de l&#8217;activit\u00e9 malveillante.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">3J98t1Wxxxx est l&#8217;adresse qui a \u00e9t\u00e9 copi\u00e9e dans le presse-papiers.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><span class=\"TextRun MacChromeBold SCXW175329495 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW175329495 BCX0\">4<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">.\u00a0<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">Contournement de la d\u00e9tection et furtivit\u00e9<\/span><\/span><span class=\"EOP Selected SCXW175329495 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232022\" aria-describedby=\"caption-attachment-232022\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232022\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png\" alt=\"Figure\u00a08. Fichier Settings.js montrant la configuration \" width=\"1024\" height=\"476\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-768x357.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1536x714.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-205x95.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232022\" class=\"wp-caption-text\"><em>Figure\u00a08. Fichier Settings.js montrant la configuration<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">La configuration comprend une cl\u00e9 API cod\u00e9e en dur, qui est utilis\u00e9e par l&#8217;extension pour authentifier la communication avec l&#8217;infrastructure contr\u00f4l\u00e9e par le cybercriminel.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Une URL RPC pointant vers un n\u0153ud de cha\u00eene de blocs publique est utilis\u00e9e pour d\u00e9terminer de mani\u00e8re dynamique les renseignements relatifs au serveur dorsal, ce qui permet au cybercriminel de dissimuler des infrastructures critiques derri\u00e8re des syst\u00e8mes d\u00e9centralis\u00e9s.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">La pr\u00e9sence d&#8217;une adresse et d&#8217;une m\u00e9thode de contrat intelligent indique que le logiciel malveillant r\u00e9cup\u00e8re son domaine de commande et contr\u00f4le (C2) de mani\u00e8re indirecte via des requ\u00eates sur la cha\u00eene de blocs, ce qui complique sa neutralisation et son suivi.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">La liste des domaines sur liste noire contient une liste de sites Web li\u00e9s \u00e0 l&#8217;inspection de la cha\u00eene de blocs sur lesquels l&#8217;extension Web ne fonctionnera pas. Cette mesure vise \u00e0 \u00e9viter d&#8217;alerter la victime lorsqu&#8217;elle tente de coller sa propre adresse pour consulter le solde de son portefeuille ou v\u00e9rifier les transactions de celui-ci.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232037\" aria-describedby=\"caption-attachment-232037\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232037\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png\" alt=\"Figure\u00a09. Identification du domaine C2 du cybercriminel via un contrat intelligent Ethereum (etherhiding) \" width=\"1024\" height=\"425\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-768x318.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1536x637.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232037\" class=\"wp-caption-text\"><em>Figure\u00a09. Identification du domaine C2 du cybercriminel via un contrat intelligent Ethereum (etherhiding)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232052\" aria-describedby=\"caption-attachment-232052\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232052\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png\" alt=\"Figure\u00a010. Charge virale de la requ\u00eate avec ladresse du contrat Ethereum \" width=\"1024\" height=\"294\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-300x86.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-768x220.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1536x441.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-205x59.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232052\" class=\"wp-caption-text\"><em>Figure\u00a010. Charge virale de la requ\u00eate avec l&#8217;adresse du contrat Ethereum<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">L&#8217;analyse dynamique a r\u00e9v\u00e9l\u00e9 que le logiciel malveillant obtient son domaine de commande et de contr\u00f4le via un contrat intelligent de cha\u00eene de blocs, qui renvoie le domaine <\/span><b><i><span data-contrast=\"auto\">devops-offensive[.]cc<\/span><\/i><\/b><span data-contrast=\"auto\"> lors de l&#8217;ex\u00e9cution.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">La r\u00e9ponse provenant de la cha\u00eene de blocs est d\u00e9cod\u00e9e au moment de l&#8217;ex\u00e9cution, r\u00e9v\u00e9lant ainsi le domaine C2 actif (devops-offensive.cc).\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ce domaine n&#8217;est pas cod\u00e9 en dur, ce qui permet au cybercriminel de mettre \u00e0 jour l&#8217;infrastructure sans modifier le logiciel malveillant.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Le domaine r\u00e9solu est mis en cache localement afin d&#8217;assurer la persistance et de r\u00e9duire le nombre de requ\u00eates r\u00e9seau r\u00e9p\u00e9t\u00e9es.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232067\" aria-describedby=\"caption-attachment-232067\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232067\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png\" alt=\"Figure\u00a011. Cette capture d\u00e9cran montre la cha\u00eene cod\u00e9e longue contenant le domaine malveillant. \" width=\"1024\" height=\"258\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1536x387.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232067\" class=\"wp-caption-text\"><em>Figure 11. Cette capture d&#8217;\u00e9cran montre la cha\u00eene cod\u00e9e longue contenant le domaine malveillant.<\/em><\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">Cette <\/span><\/span><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">cha\u00eene cod\u00e9e longue est d\u00e9cod\u00e9e \u00e0 l&#8217;aide de cette <\/span><span class=\"NormalTextRun SCXW196653296 BCX0\">fonction<\/span><span class=\"NormalTextRun SCXW196653296 BCX0\"> pour obtenir le domaine final du cybercriminel.<\/span><\/span><\/p>\n<figure id=\"attachment_232082\" aria-describedby=\"caption-attachment-232082\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232082\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png\" alt=\"Figure\u00a012. Cette capture d\u00e9cran montre le domaine final du cybercriminel. \" width=\"1024\" height=\"252\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-300x74.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-768x189.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1536x378.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-205x51.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232082\" class=\"wp-caption-text\"><em>Figure\u00a012. Cette capture d&#8217;\u00e9cran montre le domaine final du cybercriminel.<\/em><\/figcaption><\/figure>\n<h2><span class=\"TextRun SCXW127612542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW127612542 BCX0\" data-ccp-parastyle=\"heading 2\">Techniques de persistance et d&#8217;\u00e9vasion<\/span><\/span><span class=\"EOP Selected SCXW127612542 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW32004784 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW32004784 BCX0\">La strat\u00e9gie de persistance et d&#8217;<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW32004784 BCX0\">\u00e9vasion<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\"> de cette campagne est d\u00e9lib\u00e9r\u00e9e et comporte plusieurs niveaux. Le cybercriminel a clairement <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW32004784 BCX0\">optimis\u00e9<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\"> son syst\u00e8me en fonction de deux crit\u00e8res\u00a0: une faible visibilit\u00e9 pour l&#8217;utilisateur final et une grande r\u00e9sistance \u00e0 la mise hors service et \u00e0 l&#8217;analyse statique.<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW32004784 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Persistance<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">L&#8217;enregistrement de l&#8217;extension via la manipulation des fichiers Secure Preferences garantit que l&#8217;extension se chargera \u00e0 chaque d\u00e9marrage ult\u00e9rieur du navigateur sans n\u00e9cessiter de m\u00e9canisme de persistance Windows suppl\u00e9mentaire\u00a0\u2014<\/span><b><i><span data-contrast=\"auto\">ni cl\u00e9s Run dans le registre, ni t\u00e2ches planifi\u00e9es, ni services que les chasseurs de menaces sur terminaux inspectent g\u00e9n\u00e9ralement.<\/span><\/i><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Le mode d\u00e9veloppeur est activ\u00e9 par programmation lorsque cela s&#8217;av\u00e8re n\u00e9cessaire, ce qui permet aux extensions d\u00e9compress\u00e9es de rester en place sans d\u00e9clencher le flux p\u00e9riodique d&#8217;\u00ab\u00a0avertissement concernant des extensions d\u00e9compress\u00e9es\u00a0\u00bb que Chromium affiche pour dissuader le chargement lat\u00e9ral d&#8217;extensions.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Le domaine C2 mis en cache permet \u00e0 l&#8217;extension de continuer \u00e0 fonctionner avec un serveur dorsal dont le bon fonctionnement est av\u00e9r\u00e9, m\u00eame si le point de terminaison RPC de la cha\u00eene de blocs est bri\u00e8vement indisponible.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">\u00c9vasion<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">L&#8217;identit\u00e9 visible de l&#8217;extension\u00a0\u2014 une simple application de prise de notes appel\u00e9e \u00ab\u00a0Google Notes\u00a0\u00bb\u00a0\u2014 constitue une couverture plausible en cas d&#8217;examen superficiel de la liste des extensions install\u00e9es.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Les valeurs HMAC recalcul\u00e9es<\/span><span data-contrast=\"auto\"> satisfont aux crit\u00e8res de v\u00e9rification de l&#8217;int\u00e9grit\u00e9 de Chromium, ce qui permet d&#8217;\u00e9viter l&#8217;affichage de la banni\u00e8re d&#8217;avertissement \u00ab\u00a0Extension install\u00e9e \u00e0 partir d&#8217;une source inconnue\u00a0\u00bb qui alerterait l&#8217;utilisateur.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Le programme d&#8217;installation s&#8217;autosupprime apr\u00e8s s&#8217;\u00eatre ex\u00e9cut\u00e9, \u00e9liminant ainsi la trace la plus \u00e9vidente de <\/span><span data-contrast=\"auto\">la compromission initiale sur le disque.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">La r\u00e9solution C2<\/span><span data-contrast=\"auto\"> via une cha\u00eene de blocs publique signifie qu&#8217;aucun domaine C2 persistant n&#8217;est observable dans le paquet du logiciel malveillant lui-m\u00eame\u00a0; les d\u00e9tections bas\u00e9es sur le r\u00e9seau et con\u00e7ues \u00e0 partir d&#8217;indicateurs cod\u00e9s en dur ne se d\u00e9clencheront pas tant que le domaine n&#8217;aura pas \u00e9t\u00e9 r\u00e9solu et contact\u00e9.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Les variantes multilingues du programme d&#8217;installation (.NET et Golang) r\u00e9duisent l&#8217;efficacit\u00e9 des signatures des artefacts de compilation et des caract\u00e9ristiques binaires.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Le remplacement dynamique des portefeuilles par adresse signifie que les adresses publi\u00e9es des cybercriminels deviennent rapidement obsol\u00e8tes et ne se transforment pas en entr\u00e9es durables dans les listes noires\u00a0\u2014 l&#8217;\u00e9quipe de s\u00e9curit\u00e9 doit bloquer le service en arri\u00e8re-plan lui-m\u00eame, et non les adresses qu&#8217;il g\u00e9n\u00e8re.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TrackedChange SCXW175054041 BCX0\"><span class=\"TextRun SCXW175054041 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW175054041 BCX0\" data-ccp-parastyle=\"heading 2\">Logique de substitution des portefeuilles<\/span><\/span><\/span><span class=\"EOP Selected SCXW175054041 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">La logique du clipper repose sur deux couches\u00a0: une couche \u00ab\u00a0contenu-script\u00a0\u00bb qui surveille l&#8217;activit\u00e9 du presse-papiers et les champs de saisie DOM sur toutes les adresses d&#8217;origine visit\u00e9es, et une couche d&#8217;arri\u00e8re-plan qui communique avec le serveur dorsal du cybercriminel pour r\u00e9cup\u00e9rer les adresses de remplacement.<\/span><\/p>\n<p><span data-contrast=\"auto\">Lorsque l&#8217;extension d\u00e9tecte un \u00e9v\u00e9nement de copie, elle applique au contenu du presse-papiers un ensemble d&#8217;expressions r\u00e9guli\u00e8res sp\u00e9cifiques aux cryptomonnaies. Si une correspondance est trouv\u00e9e, l&#8217;adresse intercept\u00e9e est transmise au serveur dorsal<\/span><span data-contrast=\"auto\"> du cybercriminel via une requ\u00eate authentifi\u00e9e (l&#8217;authentification s&#8217;effectuant \u00e0 l&#8217;aide de la cl\u00e9 API int\u00e9gr\u00e9e \u00e0 la configuration). Le serveur dorsal r\u00e9pond en fournissant une adresse de remplacement sp\u00e9cifique \u00e0 l&#8217;adresse d&#8217;origine envoy\u00e9e. L&#8217;adresse de remplacement est alors r\u00e9\u00e9crite dans le presse-papiers, \u00e9crasant ainsi l&#8217;adresse l\u00e9gitime avant que la victime n&#8217;ait le temps de la coller.<\/span><\/p>\n<p><span data-contrast=\"auto\">Des tests effectu\u00e9s sur un client dorsal reconstitu\u00e9\u00a0\u2014 cr\u00e9\u00e9 en r\u00e9impl\u00e9mentant en Python le format de requ\u00eate et la logique de d\u00e9codage des r\u00e9ponses de l&#8217;extension\u00a0\u2014 ont permis de mettre en \u00e9vidence un profil comportemental r\u00e9v\u00e9lateur\u00a0:<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Bitcoin<\/span><\/b><b><span data-contrast=\"auto\"> (BTC), Ethereum, Bitcoin Cash, Ripple et Dash\u00a0: <\/span><\/b><span data-contrast=\"auto\">chaque adresse fournie est associ\u00e9e \u00e0 une adresse unique contr\u00f4l\u00e9e par le cybercriminel. Chaque fois que la m\u00eame adresse originale est envoy\u00e9e, la m\u00eame adresse de remplacement est renvoy\u00e9e, ce qui indique l&#8217;existence d&#8217;une correspondance d\u00e9terministe un-\u00e0-un g\u00e9r\u00e9e c\u00f4t\u00e9 serveur.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Solana\u00a0: <\/span><\/b><span data-contrast=\"auto\">toutes les adresses soumises se r\u00e9sument \u00e0 une seule adresse du cybercriminel, ce qui sugg\u00e8re que la fonctionnalit\u00e9 de mise en correspondance par victime est impl\u00e9ment\u00e9e de mani\u00e8re s\u00e9lective selon la cha\u00eene<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TextRun SCXW166026346 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\">Analyse<\/span><span class=\"NormalTextRun SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\"> des portefeuilles cryptographiques du cybercriminel<\/span><\/span><span class=\"EOP Selected SCXW166026346 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">\u00c0 partir des fragments de code de l&#8217;extension Web charg\u00e9e de r\u00e9cup\u00e9rer les adresses de remplacement, un script Python a \u00e9t\u00e9 \u00e9labor\u00e9 afin d&#8217;extraire par programmation les adresses de portefeuilles du cybercriminel. La charge virale a \u00e9t\u00e9 con\u00e7ue \u00e0 partir du code du cybercriminel lui-m\u00eame, et le fragment de code \u00ab\u00a0get replacement address\u00a0\u00bb en a \u00e9t\u00e9 directement extrait. La logique utilis\u00e9e par le cybercriminel pour d\u00e9coder les donn\u00e9es re\u00e7ues du serveur C2 a \u00e9galement \u00e9t\u00e9 reproduite fid\u00e8lement dans le script.<\/span><\/p>\n<p><span data-contrast=\"auto\">Le script a ensuite \u00e9t\u00e9 ex\u00e9cut\u00e9 \u00e0 l&#8217;aide de quelques adresses de portefeuilles Bitcoin (BTC) de test. Les r\u00e9sultats ont montr\u00e9 que, pour chaque adresse Bitcoin fournie, une adresse Bitcoin unique \u00e9tait renvoy\u00e9e en r\u00e9ponse, et que toutes les adresses renvoy\u00e9es correspondaient \u00e0 des portefeuilles BTC valides. Cela signifie que, pour chaque adresse BTC fournie, le cybercriminel g\u00e9n\u00e8re dynamiquement un nouveau portefeuille li\u00e9 \u00e0 cette adresse sp\u00e9cifique. De plus, lorsque cette m\u00eame adresse a \u00e9t\u00e9 fournie \u00e0 nouveau, la m\u00eame adresse BTC a \u00e9t\u00e9 renvoy\u00e9e, ce qui confirme que <\/span><b><span data-contrast=\"auto\">chaque adresse BTC d&#8217;une victime est associ\u00e9e de mani\u00e8re d\u00e9terministe \u00e0 une adresse sp\u00e9cifique unique contr\u00f4l\u00e9e par le cybercriminel<\/span><\/b><span data-contrast=\"auto\">. Si certains de ces portefeuilles appartenant au cybercriminel contenaient des fonds et d&#8217;autres \u00e9taient vides, le nombre total inconnu de ces portefeuilles rend difficile toute estimation fiable du montant total de cryptomonnaie qui a \u00e9t\u00e9 vol\u00e9.<\/span><\/p>\n<p><span data-contrast=\"auto\">Le m\u00eame comportement a \u00e9t\u00e9 observ\u00e9 pour Ethereum, pour lequel des adresses de portefeuilles diff\u00e9rentes ont \u00e9t\u00e9 renvoy\u00e9es pour chaque entr\u00e9e. Il est int\u00e9ressant de noter que, lorsque le script a \u00e9t\u00e9 test\u00e9 avec des adresses Solana, une seule adresse a \u00e9t\u00e9 renvoy\u00e9e, quel que soit le nombre d&#8217;entr\u00e9es diff\u00e9rentes fournies. Cela semble indiquer que le cybercriminel a mis en place la fonctionnalit\u00e9 de mappage par adresse uniquement pour certaines cryptomonnaies, tandis que pour d&#8217;autres, il utilise un seul portefeuille de collecte statique. Comme l&#8217;adresse Solana est commune \u00e0 toutes les victimes, une augmentation notable de son solde est observ\u00e9e. Par ailleurs, il s&#8217;est av\u00e9r\u00e9 que l&#8217;une des adresses Ethereum identifi\u00e9es d\u00e9tenait des fonds pour un montant d&#8217;environ 1\u00a0902\u00a0USD.<\/span><\/p>\n<p><span data-contrast=\"auto\">En r\u00e9sum\u00e9, les <strong>cryptomonnaies<\/strong> pour lesquelles des adresses de portefeuilles uniques sont g\u00e9n\u00e9r\u00e9es pour chaque victime<strong> sont notamment le Bitcoin, l&#8217;Ethereum, le Bitcoin Cash, le Ripple et le Dash.<\/strong><\/span><strong>\u00a0<\/strong><\/p>\n<figure id=\"attachment_232098\" aria-describedby=\"caption-attachment-232098\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232098\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png\" alt=\"Figure\u00a013. La charge virale a \u00e9t\u00e9 con\u00e7ue comme un code malveillant. \" width=\"1024\" height=\"455\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-300x133.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-768x342.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1536x683.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-205x91.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232098\" class=\"wp-caption-text\"><em>Figure 13. La charge virale a \u00e9t\u00e9 con\u00e7ue comme un code malveillant.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232113\" aria-describedby=\"caption-attachment-232113\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232113\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png\" alt=\"Figure\u00a014. Fragment de code permettant dobtenir ladresse de remplacement, tir\u00e9 du code du cybercriminel \" width=\"1024\" height=\"426\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-300x125.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-768x319.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1536x638.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232113\" class=\"wp-caption-text\"><em>Figure\u00a014. Fragment de code permettant d&#8217;obtenir l&#8217;adresse de remplacement, tir\u00e9 du code du cybercriminel<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232128\" aria-describedby=\"caption-attachment-232128\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232128\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png\" alt=\"Figure\u00a015. La logique utilis\u00e9e par le cybercriminel pour d\u00e9coder les donn\u00e9es re\u00e7ues du serveur C2 a \u00e9galement \u00e9t\u00e9 impl\u00e9ment\u00e9e. \" width=\"1024\" height=\"353\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-300x103.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-768x265.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1536x530.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232128\" class=\"wp-caption-text\">Figure\u00a015. La logique utilis\u00e9e par le cybercriminel pour d\u00e9coder les donn\u00e9es re\u00e7ues du serveur C2 a \u00e9galement \u00e9t\u00e9 impl\u00e9ment\u00e9e.<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW94149359 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW94149359 BCX0\">Ex\u00e9cution<\/span><span class=\"NormalTextRun SCXW94149359 BCX0\"> du script avec quelques adresses tests de portefeuilles Bitcoin<\/span><\/span><\/p>\n<figure id=\"attachment_232143\" aria-describedby=\"caption-attachment-232143\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232143\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png\" alt=\"Figure\u00a016. Pour chaque adresse Bitcoin, une adresse Bitcoin unique a \u00e9t\u00e9 renvoy\u00e9e, et toutes les adresses sont des adresses de portefeuilles BTC valides. \" width=\"1024\" height=\"977\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-300x286.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-768x733.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1536x1466.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-135x129.png 135w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM.png 1670w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232143\" class=\"wp-caption-text\"><em>Figure\u00a016. Pour chaque adresse Bitcoin, une adresse Bitcoin unique a \u00e9t\u00e9 renvoy\u00e9e, et toutes les adresses sont des adresses de portefeuilles BTC valides.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232161\" aria-describedby=\"caption-attachment-232161\" style=\"width: 992px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232161\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png\" alt=\"Figure\u00a017. De m\u00eame, des adresses uniques ont \u00e9t\u00e9 utilis\u00e9es pour Ethereum.\" width=\"992\" height=\"966\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png 992w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-300x292.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-768x748.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-132x129.png 132w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-48x48.png 48w\" sizes=\"auto, (max-width: 992px) 100vw, 992px\" \/><figcaption id=\"caption-attachment-232161\" class=\"wp-caption-text\"><em>Figure\u00a017. De m\u00eame, des adresses uniques ont \u00e9t\u00e9 utilis\u00e9es pour Ethereum.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232176\" aria-describedby=\"caption-attachment-232176\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232176\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png\" alt=\"Figure\u00a018. Ex\u00e9cution du script pour les adresses tests Solana \" width=\"1024\" height=\"766\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-300x224.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-768x575.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-172x129.png 172w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM.png 1064w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232176\" class=\"wp-caption-text\">Figure\u00a018. Ex\u00e9cution du script pour les adresses tests Solana<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW7609193 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7609193 BCX0\">Heureusement, pour Solana, nous n&#8217;obtenons qu&#8217;une seule adresse <\/span><span class=\"NormalTextRun SCXW7609193 BCX0\">lorsque plusieurs <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">adresses sont fournies<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">. <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">Cela<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\"> indique<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW7609193 BCX0\"> que le cybercriminel n&#8217;a impl\u00e9ment\u00e9 la fonctionnalit\u00e9 de mappage d&#8217;adresses<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\"> que pour certaines cryptomonnaies sp\u00e9cifiques.<\/span><\/span><span class=\"EOP Selected SCXW7609193 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<figure id=\"attachment_232191\" aria-describedby=\"caption-attachment-232191\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232191\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png\" alt=\"Figure\u00a019. Vous pouvez voir ici une hausse du montant du solde.\" width=\"1024\" height=\"401\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-768x301.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-205x80.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM.png 1250w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232191\" class=\"wp-caption-text\"><em>Figure\u00a019. Vous pouvez voir ici une hausse du montant du solde.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232206\" aria-describedby=\"caption-attachment-232206\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232206\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png\" alt=\"Figure\u00a020. Ladresse ETH pr\u00e9sentait un solde de 1\u00a0902\u00a0USD. \" width=\"1024\" height=\"580\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-300x170.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-768x435.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-205x116.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM.png 1310w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232206\" class=\"wp-caption-text\"><em>Figure\u00a020. L&#8217;adresse ETH pr\u00e9sentait un solde de 1\u00a0902\u00a0USD.<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun SCXW154641437 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">Analyse technique <\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">du fichier<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">.net<\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\"> (programme d&#8217;installation de l&#8217;extension)<\/span><\/span><span class=\"EOP Selected SCXW154641437 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232222\" aria-describedby=\"caption-attachment-232222\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232222\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png\" alt=\"Figure\u00a021. BaseZipInstaller est un programme dinstallation .NET non sign\u00e9. \" width=\"1024\" height=\"817\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-300x239.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-768x613.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-162x129.png 162w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232222\" class=\"wp-caption-text\"><em>Figure\u00a021. BaseZipInstaller est un programme d&#8217;installation .NET non sign\u00e9.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232237\" aria-describedby=\"caption-attachment-232237\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232237\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png\" alt=\"Figure\u00a022. Configuration enregistr\u00e9e telle quelle appara\u00eet dans Dnspy\" width=\"1024\" height=\"485\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-300x142.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-768x364.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-205x97.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM.png 1274w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232237\" class=\"wp-caption-text\"><em>Figure 22. Configuration enregistr\u00e9e telle qu&#8217;elle appara\u00eet dans Dnspy<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Le logiciel malveillant int\u00e8gre un fichier JSON de configuration complet directement dans le fichier binaire, ce qui lui \u00e9vite de devoir r\u00e9cup\u00e9rer les donn\u00e9es de configuration initiales aupr\u00e8s de sources externes.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Cette configuration int\u00e9gr\u00e9e comprend des renseignements essentiels tels que les cl\u00e9s API, l&#8217;URL du serveur dorsal, les extensions de portefeuille cibl\u00e9es, ainsi que le manifeste complet de l&#8217;extension avec des autorisations \u00e9tendues.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232252\" aria-describedby=\"caption-attachment-232252\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232252\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png\" alt=\"Figure\u00a023. Fonction principale \u00e0 partir de laquelle lex\u00e9cution commence \" width=\"1024\" height=\"404\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-768x303.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232252\" class=\"wp-caption-text\"><em>Figure\u00a023. Fonction principale \u00e0 partir de laquelle l&#8217;ex\u00e9cution commence<\/em><\/figcaption><\/figure>\n<ul>\n<li><span class=\"TextRun SCXW122609328 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW122609328 BCX0\">Le programme d&#8217;installation r\u00e9cup\u00e8re et <\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">valide<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\"> une archive ZIP distante<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\"> (google-services<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">cc\/base<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">zip)<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">, qui sert de charge virale principale pour le d\u00e9ploiement de l&#8217;extension de navigateur malveillante, marquant ainsi le passage de l&#8217;infection <\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">initiale<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\"> \u00e0 la compromission au niveau du navigateur.<\/span><\/span><span class=\"EOP Selected SCXW122609328 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232267\" aria-describedby=\"caption-attachment-232267\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232267\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png\" alt=\"Figure\u00a024. Lextension est cr\u00e9\u00e9e \u00e0 lemplacement suivant dans le syst\u00e8me, avec des fichiers t\u00e9l\u00e9charg\u00e9s sous le nom base.zip.\" width=\"1024\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-300x107.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-768x275.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-205x73.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM.png 1284w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232267\" class=\"wp-caption-text\"><em>Figure 24. L&#8217;extension est cr\u00e9\u00e9e \u00e0 l&#8217;emplacement suivant dans le syst\u00e8me, avec des fichiers t\u00e9l\u00e9charg\u00e9s sous le nom base.zip.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232282\" aria-describedby=\"caption-attachment-232282\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232282\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png\" alt=\"Figure\u00a025. Dnspy affichant la liste des navigateurs cibl\u00e9s\" width=\"1024\" height=\"460\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-300x135.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-768x345.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-205x92.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232282\" class=\"wp-caption-text\"><em>Figure\u00a025. Dnspy affichant la liste des navigateurs cibl\u00e9s<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Le programme d&#8217;installation passe en revue plusieurs navigateurs bas\u00e9s sur Chromium, notamment Chrome, Edge, Opera et Brave, afin d&#8217;identifier les profils utilisateur disponibles sur le syst\u00e8me.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">\u00c0 chaque profil d\u00e9tect\u00e9, le logiciel malveillant ferme de force le processus du navigateur afin de modifier en toute s\u00e9curit\u00e9 les fichiers de configuration sans subir d&#8217;interf\u00e9rence.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il injecte ensuite l&#8217;extension malveillante en modifiant directement les fichiers Secure Preferences et Preferences, ce qui permet \u00e0 l&#8217;extension d&#8217;\u00eatre charg\u00e9e sans intervention de l&#8217;utilisateur.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<div class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-image-missing-alt aligncenter wp-image-232298 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png\" alt=\"plus de code\" width=\"1024\" height=\"637\" data-warning=\"Missing alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-300x187.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-768x478.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-205x127.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div>\n<ul>\n<li><span data-contrast=\"auto\">Le logiciel malveillant identifie les chemins d&#8217;installation des navigateurs en interrogeant les r\u00e9pertoires syst\u00e8me standard, ce qui lui permet de localiser les dossiers de donn\u00e9es utilisateur dans Chrome, Edge, Opera et Brave.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il r\u00e9pertorie syst\u00e9matiquement les profils de navigateur et recherche sp\u00e9cifiquement la pr\u00e9sence du fichier Secure Preferences, qui stocke des donn\u00e9es essentielles sur la configuration du navigateur et ses extensions.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">En ciblant des profils \u00e0 l&#8217;aide du fichier Secure Preferences, le logiciel malveillant s&#8217;assure de ne modifier que des environnements de navigateur valides, ce qui accro\u00eet la fiabilit\u00e9 de l&#8217;injection d&#8217;extensions.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232313\" aria-describedby=\"caption-attachment-232313\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232313\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png\" alt=\"Nous pouvons voir l\u00e9v\u00e9nement WriteFile dans le fichier Secure Preferences de Chrome et de Microsoft Edge lorsque les d\u00e9tails de lextension t\u00e9l\u00e9charg\u00e9e sont enregistr\u00e9s dans ces fichiers de configuration. \" width=\"1024\" height=\"208\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-300x61.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-768x156.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-205x42.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM.png 1140w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232313\" class=\"wp-caption-text\"><em>Nous pouvons voir l&#8217;\u00e9v\u00e9nement WriteFile dans le fichier Secure Preferences de Chrome et de Microsoft Edge lorsque les d\u00e9tails de l&#8217;extension t\u00e9l\u00e9charg\u00e9e sont enregistr\u00e9s dans ces fichiers de configuration.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232328\" aria-describedby=\"caption-attachment-232328\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232328\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png\" alt=\"Figure\u00a027. Logique suivie par le cybercriminel pour resigner les fichiers Secure Preferences\" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM.png 1276w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232328\" class=\"wp-caption-text\"><em>Figure\u00a027. Logique suivie par le cybercriminel pour resigner les fichiers Secure Preferences<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Le logiciel malveillant lit et modifie le fichier Secure Preferences du navigateur, qui g\u00e8re les extensions install\u00e9es et leur niveau de confiance.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il injecte l&#8217;extension malveillante dans la configuration et tente de resigner les donn\u00e9es modifi\u00e9es, de fa\u00e7on \u00e0 ce que les modifications apparaissent comme l\u00e9gitimes lors des contr\u00f4les d&#8217;int\u00e9grit\u00e9 du navigateur.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">La configuration mise \u00e0 jour est ensuite r\u00e9\u00e9crite sur le disque, ce qui garantit que l&#8217;extension se charge automatiquement et reste active m\u00eame apr\u00e8s le red\u00e9marrage du navigateur.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232343\" aria-describedby=\"caption-attachment-232343\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232343\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png\" alt=\"Figure\u00a027B. Le chemin dacc\u00e8s \u00e0 lextension est ajout\u00e9 au fichier Secure Preferences de Chrome.\" width=\"1024\" height=\"156\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-300x46.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-768x117.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-205x31.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232343\" class=\"wp-caption-text\"><em>Figure 27B. Le chemin d&#8217;acc\u00e8s \u00e0 l&#8217;extension est ajout\u00e9 au fichier Secure Preferences de Chrome.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232358\" aria-describedby=\"caption-attachment-232358\" style=\"width: 968px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232358\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png\" alt=\"Figure\u00a028. Logique permettant de contourner les d\u00e9fenses du navigateur Brave \" width=\"968\" height=\"560\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png 968w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-300x174.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-768x444.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-205x119.png 205w\" sizes=\"auto, (max-width: 968px) 100vw, 968px\" \/><figcaption id=\"caption-attachment-232358\" class=\"wp-caption-text\"><em>Figure\u00a028. Logique permettant de contourner les d\u00e9fenses du navigateur Brave<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Dans le cas de navigateurs tels que Brave et Opera, le logiciel malveillant injecte l&#8217;extension malveillante directement dans la configuration du navigateur en ajoutant des entr\u00e9es dans la section extensions.settings (ou extensions.opsettings).\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il met \u00e9galement \u00e0 jour les champs li\u00e9s \u00e0 l&#8217;int\u00e9grit\u00e9 (protection.macs) afin que l&#8217;extension inject\u00e9e soit consid\u00e9r\u00e9e comme fiable par le navigateur.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">De plus, le logiciel malveillant tente d&#8217;activer le mode d\u00e9veloppeur par programmation, de fa\u00e7on \u00e0 permettre aux extensions d\u00e9compress\u00e9es de s&#8217;ex\u00e9cuter avec moins de restrictions.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232373\" aria-describedby=\"caption-attachment-232373\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232373\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png\" alt=\"Figure\u00a029. Logique suivie par le cybercriminel pour obtenir lidentifiant de lappareil utilis\u00e9 pour calculer ensuite les valeurs dint\u00e9grit\u00e9 \" width=\"1024\" height=\"704\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-300x206.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-768x528.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-188x129.png 188w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM.png 1272w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232373\" class=\"wp-caption-text\"><em>Figure\u00a029. Logique suivie par le cybercriminel pour obtenir l&#8217;identifiant de l&#8217;appareil utilis\u00e9 pour calculer ensuite les valeurs d&#8217;int\u00e9grit\u00e9<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Le logiciel malveillant tente de recalculer les signatures d&#8217;int\u00e9grit\u00e9 du navigateur en g\u00e9n\u00e9rant de nouvelles valeurs MAC (Message Authentication Code) pour le fichier Secure Preferences modifi\u00e9.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il utilise des identifiants propres au syst\u00e8me, tels que le SID de la machine, combin\u00e9s \u00e0 une valeur de d\u00e9part afin de reproduire le m\u00e9canisme de v\u00e9rification interne de Chrome.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">En recalculant ces contr\u00f4les d&#8217;int\u00e9grit\u00e9 (macs et super_mac), le logiciel malveillant tente de faire passer ses modifications non autoris\u00e9es pour des modifications l\u00e9gitimes aupr\u00e8s du navigateur.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232388\" aria-describedby=\"caption-attachment-232388\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232388\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png\" alt=\"Figure\u00a030. Logique dautosuppression\" width=\"1024\" height=\"507\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-300x149.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-768x380.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-205x102.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM.png 1252w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232388\" class=\"wp-caption-text\"><em>Figure 30. Logique d&#8217;autosuppression<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Le logiciel malveillant int\u00e8gre un m\u00e9canisme d&#8217;autosuppression con\u00e7u pour supprimer le fichier ex\u00e9cutable du programme d&#8217;installation une fois celui-ci ex\u00e9cut\u00e9 avec succ\u00e8s.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Il lance un processus d&#8217;invite de commande cach\u00e9 qui retarde bri\u00e8vement l&#8217;ex\u00e9cution avant de supprimer le fichier d&#8217;origine du disque.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Cette campagne illustre clairement la direction que prend le vol de cryptomonnaies ciblant les particuliers. Le cybercriminel s&#8217;est appuy\u00e9 sur la cat\u00e9gorie la plus ancienne et la plus simple de logiciel malveillant cryptographique\u00a0\u2014 le clipper\u00a0\u2014 et a discr\u00e8tement renforc\u00e9 trois de ses maillons les plus faibles. Les adresses statiques du cybercriminel ont \u00e9t\u00e9 remplac\u00e9es par un mappage sp\u00e9cifique \u00e0 chaque victime c\u00f4t\u00e9 serveur. Les domaines de commande et de contr\u00f4le, fragiles et cod\u00e9s en dur, ont \u00e9t\u00e9 remplac\u00e9s par une recherche bas\u00e9e sur la cha\u00eene de blocs, que le cybercriminel peut modifier \u00e0 l&#8217;aide d&#8217;une seule transaction. Enfin, un injecteur vuln\u00e9rable a \u00e9t\u00e9 remplac\u00e9 par une extension Chromium int\u00e9gr\u00e9e \u00e0 l&#8217;application \u00e0 laquelle l&#8217;utilisateur fait le plus confiance, charg\u00e9e sous la signature d&#8217;int\u00e9grit\u00e9 propre au navigateur.<\/span><\/p>\n<p><span data-contrast=\"auto\"><strong>McAfee continuera \u00e0 surveiller cette campagne et l&#8217;infrastructure associ\u00e9e<\/strong>. Nos clients sont prot\u00e9g\u00e9s par les m\u00e9canismes de d\u00e9tection existants et b\u00e9n\u00e9ficieront de mises \u00e0 jour bas\u00e9es sur la t\u00e9l\u00e9m\u00e9trie \u00e0 mesure que de nouvelles variantes et des infrastructures modifi\u00e9es seront identifi\u00e9es.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun MacChromeBold SCXW61108569 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW61108569 BCX0\" data-ccp-parastyle=\"heading 1\">Indicateurs de compromission<\/span><\/span><span class=\"EOP Selected SCXW61108569 BCX0\" data-ccp-props=\"{\"> (IoC)<\/span><\/h2>\n<table style=\"font-weight: 400;\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"8\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Type<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Cat\u00e9gorie<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Valeur<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Programme d&#8217;installation .NET (BaseZipInstaller)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Variante du programme d&#8217;installation compil\u00e9e en Golang<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962\u2003\u2003<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"auto\">1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d\u2003\u2003<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">URL<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Distribution de la charge virale<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">hxxps:\/\/google-services[.]cc\/base[.]zip<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Domaine<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Commande et contr\u00f4le (g\u00e9r\u00e9 via un contrat intelligent)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">devops-offensive[.]cc<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">Zebregts[.]com<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Portefeuille BTC<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Portefeuille cryptographique<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Artefact<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Cible de chargement lat\u00e9ral<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Fichier Secure Preferences de Chromium (profils Chrome, Edge, Brave et Opera)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Fichiers d&#8217;extension<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">manifest.json<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">crypto-patterns.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">Interceptor.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">content-script.j<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">cache.js<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">domain-resolver.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">service-worker.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">api-client.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Auteur\u00a0: Neil Tyagi R\u00e9sum\u00e9\u00a0 L&#8217;\u00e9quipe McAfee Advanced Threat Research a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur&#8230;<\/p>\n","protected":false},"author":695,"featured_media":209104,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[13930],"tags":[],"coauthors":[4136],"class_list":["post-232785","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-internet-security"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#039;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee<\/title>\n<meta name=\"description\" content=\"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"fr_CA\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#039;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee\" \/>\n<meta property=\"og:description\" content=\"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog McAfee\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-07T10:55:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"\u00c9crit par\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimation du temps de lecture\" \/>\n\t<meta name=\"twitter:data2\" content=\"25 minutes\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"McAfee Labs\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#8217;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb\",\"datePublished\":\"2026-07-07T10:55:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\"},\"wordCount\":5265,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"articleSection\":[\"S\u00e9curit\u00e9 Internet\"],\"inLanguage\":\"fr-CA\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\",\"name\":\"Silent Swap\u00a0: une campagne par d\u00e9ploiement d'extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"datePublished\":\"2026-07-07T10:55:29+00:00\",\"description\":\"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#breadcrumb\"},\"inLanguage\":\"fr-CA\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"width\":600,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"autres blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#8217;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/\",\"name\":\"McAfee Blog\",\"description\":\"Actualit\u00e9s concernant la s\u00e9curit\u00e9 Internet\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"fr-CA\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-CA\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/fr-ca\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d'extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee","description":"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"fr_CA","og_type":"article","og_title":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d'extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee","og_description":"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.","og_url":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/","og_site_name":"Blog McAfee","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-07-07T10:55:29+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"\u00c9crit par":"McAfee Labs","Estimation du temps de lecture":"25 minutes","Written by":"McAfee Labs"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#8217;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb","datePublished":"2026-07-07T10:55:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/"},"wordCount":5265,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","articleSection":["S\u00e9curit\u00e9 Internet"],"inLanguage":"fr-CA"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/","url":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/","name":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d'extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb | Blog McAfee","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","datePublished":"2026-07-07T10:55:29+00:00","description":"McAfee a identifi\u00e9 une campagne active recourant \u00e0 des extensions de navigateur pour voler des cryptomonnaies.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#breadcrumb"},"inLanguage":"fr-CA","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/"]}]},{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","width":600,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/internet-security\/crypto-clipper-portefeuille-substitution-navigateur-extension-logiciel-malveillant\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/"},{"@type":"ListItem","position":2,"name":"autres blogs","item":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Silent Swap\u00a0: une campagne par d\u00e9ploiement d&#8217;extensions de type \u00ab\u00a0crypto clipper\u00a0\u00bb"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#website","url":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/","name":"McAfee Blog","description":"Actualit\u00e9s concernant la s\u00e9curit\u00e9 Internet","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"fr-CA"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/","logo":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"fr-CA","@id":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/posts\/232785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/comments?post=232785"}],"version-history":[{"count":3,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/posts\/232785\/revisions"}],"predecessor-version":[{"id":232793,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/posts\/232785\/revisions\/232793"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/media\/209104"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/media?parent=232785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/categories?post=232785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/tags?post=232785"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/fr-ca\/wp-json\/wp\/v2\/coauthors?post=232785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}