{"id":232868,"date":"2026-07-17T06:03:57","date_gmt":"2026-07-17T13:03:57","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=232868"},"modified":"2026-07-17T06:18:49","modified_gmt":"2026-07-17T13:18:49","slug":"malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/","title":{"rendered":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper"},"content":{"rendered":"<p style=\"text-align: center;\"><em>Por por Neil Tyagi<\/em><\/p>\n<h2><b><span data-contrast=\"none\">Resumo executivo<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">A equipe da McAfee Advanced Threat Research\u00a0identificou\u00a0<strong>uma campanha ativa de extens\u00f5es maliciosas de navegador projetada para roubar criptomoedas, substituindo discretamente endere\u00e7os de carteiras no momento em que o usu\u00e1rio\u00a0inicia\u00a0uma transa\u00e7\u00e3o<\/strong>. A campanha \u00e9 executada por meio de instaladores n\u00e3o assinados \u2014\u00a0encontrados\u00a0nas vers\u00f5es .NET e Golang \u2014 que instalam uma extens\u00e3o maliciosa do Chromium disfar\u00e7ada como um utilit\u00e1rio inofensivo chamado \u201cGoogle Notes\u201d.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Esta campanha est\u00e1 relacionada a\u00a0um blog\u00a0publicado anteriormente pelo\u00a0McAfee\u00a0Labs,\u00a0<\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"><i><span data-contrast=\"none\">Sinkholing CountLoader: Insights into Its Recent Campaign<\/span><\/i><span data-contrast=\"none\">,<\/span><\/a><span data-contrast=\"auto\"> j\u00e1 que o autor da amea\u00e7a parece ser o mesmo por tr\u00e1s de<\/span><span data-contrast=\"auto\">\u00a0ambas\u00a0<\/span><span data-contrast=\"auto\">as opera\u00e7\u00f5es<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0Na pesquisa anterior,\u00a0analisamos\u00a0uma carga \u00fatil de crypto clipper injetada diretamente na\u00a0mem\u00f3ria. este artigo, examinamos uma variante diferente da carga \u00fatil do est\u00e1gio final: uma extens\u00e3o maliciosa baseada em navegador, projetada para interceptar e manipular transa\u00e7\u00f5es de criptomoedas.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Neste relat\u00f3rio, detalhamos como a extens\u00e3o\u00a0opera\u00a0e apresentamos uma an\u00e1lise t\u00e9cnica dos mecanismos que tornam essa amea\u00e7a particularmente\u00a0\u00fanica. A\u00a0extens\u00e3o se comporta como um crypto clipper que monitora a \u00e1rea de transfer\u00eancia: ela\u00a0monitora\u00a0atividades de copiar e colar,\u00a0identifica\u00a0endere\u00e7os de carteiras em m\u00faltiplas blockchains e os substitui por endere\u00e7os controlados pelo invasor imediatamente antes de a v\u00edtima colar\u00a0o conte\u00fado. Como a maioria\u00a0das transa\u00e7\u00f5es em blockchain \u00e9 irrevers\u00edvel, basta\u00a0uma \u00fanica execu\u00e7\u00e3o ininterrupta para causar\u00a0perda financeira permanente.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Duas caracter\u00edsticas fazem com que esta campanha se destaque em rela\u00e7\u00e3o \u00e0 amea\u00e7a t\u00edpica de clippers:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ol>\n<li><b><span data-contrast=\"auto\">Abuso da camada de confian\u00e7a do Chromium.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">O instalador for\u00e7a secretamente uma extens\u00e3o maliciosa de navegador em navegadores baseados em Chromium, como Google Chrome, Brave e Microsoft Edge, modificando\u00a0arquivos\u00a0de configura\u00e7\u00f5es protegidos do navegador. Normalmente, esses navegadores armazenam dados de verifica\u00e7\u00e3o de seguran\u00e7a (valores de hash\/HMAC) junto com configura\u00e7\u00f5es confidenciais para detectar altera\u00e7\u00f5es n\u00e3o autorizadas<\/span><b><span data-contrast=\"auto\">.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">O malware recalcula e atualiza esses valores de seguran\u00e7a depois de adulterar os arquivos, fazendo com que o navegador acredite que a extens\u00e3o maliciosa foi instalada de forma leg\u00edtima. Isso permite que a extens\u00e3o ignore o processo normal de instala\u00e7\u00e3o da loja de extens\u00f5es e seja carregada automaticamente, sem a aprova\u00e7\u00e3o do usu\u00e1rio. No entanto, nas vers\u00f5es atualizadas dos navegadores Chrome e Edge, a v\u00edtima precisa ativar manualmente o modo de desenvolvedor para que a extens\u00e3o seja carregada corretamente; j\u00e1 quem usa vers\u00f5es desatualizadas de navegadores baseados no Chromium continua correndo um risco alto. Al\u00e9m disso, mesmo nas vers\u00f5es mais recentes, os invasores podem empregar t\u00e1ticas de engenharia social para ativar o modo de desenvolvedor.<\/span><\/li>\n<li><span data-contrast=\"auto\"><strong>Comando e controle resolvidos por blockchain<\/strong>. A extens\u00e3o n\u00e3o\u00a0cont\u00e9m\u00a0um dom\u00ednio de C2 (comando e controle) embutido no c\u00f3digo. Em vez disso, ela consulta um endpoint RPC p\u00fablico de blockchain, chama um m\u00e9todo de contrato inteligente somente leitura e decodifica a resposta em tempo de execu\u00e7\u00e3o para revelar seu C2 ativo,\u00a0observado no momento da an\u00e1lise como\u00a0<\/span><span data-contrast=\"none\">Zebregts[.]com<\/span><\/li>\n<li><span data-contrast=\"auto\">Essa t\u00e9cnica, frequentemente conhecida como <strong>\u201cEtherHiding,\u201d\u00a0<\/strong>dificulta\u00a0os esfor\u00e7os de\u00a0desarticula\u00e7\u00e3o\u00a0porque o invasor pode rotacionar a infraestrutura atualizando um valor no contrato inteligente, em vez de precisar redistribuir o malware.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span class=\"TextRun SCXW228011278 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW228011278 BCX0\">A telemetria da McAfee\u00a0<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">indica<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">\u00a0um alcance de infec\u00e7\u00e3o distribu\u00eddo globalmente, com uma concentra\u00e7\u00e3o acentuada na \u00cdndia. A abrang\u00eancia geogr\u00e1fica sugere um direcionamento oportunista\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW228011278 BCX0\">voltado a<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">\u00a0usu\u00e1rios comuns de criptomoedas, em vez de uma opera\u00e7\u00e3o espec\u00edfica para uma regi\u00e3o.<\/span><\/span><span class=\"EOP Selected SCXW228011278 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW20172865 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW20172865 BCX0\" data-ccp-parastyle=\"heading 2\">Distribui\u00e7\u00e3o geogr\u00e1fica\u00a0<\/span><\/span><span class=\"EOP Selected SCXW20172865 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<figure id=\"attachment_231885\" aria-describedby=\"caption-attachment-231885\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231885\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png\" alt=\"Um mapa do mundo mostrando os pa\u00edses impactados por esta amea\u00e7a de ciberseguran\u00e7a.\" width=\"1024\" height=\"574\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-300x168.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-768x431.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-205x115.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM.png 1462w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231885\" class=\"wp-caption-text\">Nossa pesquisa mostra que essas s\u00e3o as regi\u00f5es mais afetadas do mundo.<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">A an\u00e1lise de telemetria\u00a0<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">indica<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0que<strong>\u00a0<\/strong><\/span><\/span><strong><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">as infec\u00e7\u00f5es est\u00e3o distribu\u00eddas globalmente<\/span><\/span><\/strong><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">, com uma concentra\u00e7\u00e3o significativamente\u00a0<\/span><\/span><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">maior\u00a0<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">observada<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0na \u00cdndia<\/span><\/span><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0em compara\u00e7\u00e3o com outras regi\u00f5es.\u00a0<\/span><\/span><span class=\"EOP Selected SCXW160185877 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW109407542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW109407542 BCX0\">A ampla presen\u00e7a geogr\u00e1fica destaca o grande alcance da campanha, o que sugere uma abordagem oportunista, em vez de um ataque direcionado a uma regi\u00e3o espec\u00edfica.<\/span><\/span><span class=\"EOP Selected SCXW109407542 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW34834531 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW34834531 BCX0\" data-ccp-parastyle=\"heading 2\">A extens\u00e3o maliciosa: \u201cGoogle Notes\u201d<\/span><\/span><span class=\"EOP Selected SCXW34834531 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW148697599 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW148697599 BCX0\">Este malware se disfar\u00e7a como uma\u00a0<\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">extens\u00e3o aparentemente inofensiva<\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">\u00a0do Google Notes.<\/span><\/span><span class=\"EOP Selected SCXW148697599 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231900\" aria-describedby=\"caption-attachment-231900\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231900\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png\" alt=\"A extens\u00e3o maliciosa do Google Chrome.\" width=\"1024\" height=\"818\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-300x240.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-768x614.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1536x1228.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-161x129.png 161w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM.png 1554w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231900\" class=\"wp-caption-text\"><em>Figura 1. Essa imagem mostra a extens\u00e3o maliciosa que \u00e9 o foco dessa campanha<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">A extens\u00e3o instalada finge ser um aplicativo de anota\u00e7\u00f5es simples, com apar\u00eancia leg\u00edtima chamado &#8220;Google Notes&#8221;, com um \u00edcone moderno e uma interface funcional e simples. <\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">A estrat\u00e9gia \u00e9 bem planejada: quando um usu\u00e1rio abre a extens\u00e3o manualmente, v\u00ea que ela funciona exatamente como anunciado, o que reduz a desconfian\u00e7a. A l\u00f3gica maliciosa da extens\u00e3o \u00e9 implementada por scripts de conte\u00fado e scripts de service worker em segundo plano que operam totalmente fora do campo de vis\u00e3o da interface do usu\u00e1rio.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">O\u00a0primeiro grande sinal de alerta\u00a0surge durante a instala\u00e7\u00e3o da extens\u00e3o, quando ela\u00a0solicita\u00a0<\/span><\/b><b><span data-contrast=\"auto\">\u00a0permiss\u00f5es<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><b><span data-contrast=\"auto\">e<\/span><\/b><b><span data-contrast=\"auto\">\u00a0n\u00edveis de acesso<\/span><\/b><b><span data-contrast=\"auto\">\u00a0incompat\u00edveis com um\u00a0<\/span><\/b><b><span data-contrast=\"auto\">simples\u00a0<\/span><\/b><b><span data-contrast=\"auto\">aplicativo\u00a0de<\/span><\/b><strong>anota\u00e7\u00f5es:<\/strong><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Acesso a todos os\u00a0URLs ,\u00a0permitindo a inje\u00e7\u00e3o de scripts de conte\u00fado em todos os sites visitados pelo usu\u00e1rio.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Acesso ao\u00a0hist\u00f3rico de navega\u00e7\u00e3o.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Acesso de leitura e grava\u00e7\u00e3o \u00e0 \u00e1rea de transfer\u00eancia.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Medidas de mitiga\u00e7\u00e3o e recomenda\u00e7\u00f5es<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Para consumidores<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ol>\n<li><span data-contrast=\"auto\">Antes de confirmar qualquer transa\u00e7\u00e3o de criptomoeda,\u00a0<\/span><b><span data-contrast=\"auto\">verifique visualmente os primeiros e os \u00faltimos seis caracteres do\u00a0endere\u00e7o\u00a0do destinat\u00e1rio<\/span><\/b><span data-contrast=\"auto\">\u00a0comparando-os com endere\u00e7o original fornecido \u2014 de prefer\u00eancia em um dispositivo separado. \u00a0Esse \u00fanico h\u00e1bito \u00e9 capaz de impedir a grande maioria dos ataques do tipo clipper.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Instale extens\u00f5es de navegador exclusivamente pela loja oficial do Chrome<\/span><\/b><span data-contrast=\"auto\">, pela loja de complementos do Edge ou em plataformas equivalentes. Uma extens\u00e3o que aparece na sua lista de extens\u00f5es instaladas, mas da qual voc\u00ea n\u00e3o se lembra claramente de ter instalado, deve ser considerada suspeita.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Verifique as permiss\u00f5es concedidas a todas as extens\u00f5es instaladas<\/span><\/b><span data-contrast=\"auto\">. Uma ferramenta para anota\u00e7\u00f5es n\u00e3o tem motivo v\u00e1lido para acessar todos os sites, o hist\u00f3rico de navega\u00e7\u00e3o ou\u00a0a \u00e1rea de transfer\u00eancia.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Evite executar arquivos sem assinatura\u00a0<\/span><\/b><span data-contrast=\"auto\">obtidos de fontes n\u00e3o oficiais, principalmente aquelas que oferecem vers\u00f5es gratuitas ou piratas de softwares pagos \u2014 um vetor de distribui\u00e7\u00e3o comum para esse tipo de instalador.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Mantenha a prote\u00e7\u00e3o dos endpoints atualizada e ativada<\/span><\/b><span data-contrast=\"auto\">; os clientes da McAfee est\u00e3o protegidos contra essa campanha espec\u00edfica, conforme descrito abaixo.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ol>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">As solu\u00e7\u00f5es de seguran\u00e7a da McAfee ajudam a proteger os usu\u00e1rios em v\u00e1rios n\u00edveis:<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<h4><b><span data-contrast=\"auto\">1. A McAfee detecta essa amea\u00e7a como CryptoStealer.NE e mant\u00e9m nossos clientes protegidos<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h4>\n<figure id=\"attachment_231915\" aria-describedby=\"caption-attachment-231915\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-231915\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png\" alt=\"Figura 2. Essa imagem mostra o McAfee Antivirus bloqueando essa amea\u00e7a para os consumidores. \" width=\"1024\" height=\"513\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-300x150.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-768x385.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1536x770.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-205x103.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM.png 1608w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231915\" class=\"wp-caption-text\"><em>Figura 2. Essa imagem mostra o McAfee Antivirus bloqueando essa amea\u00e7a para os consumidores.<\/em><\/figcaption><\/figure>\n<h4><b><span data-contrast=\"auto\">2. Prote\u00e7\u00e3o contra downloads maliciosos<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">O\u00a0comportamento\u00a0do instalador \u2014 que baixa e executa cargas \u00fateis remotas \u2014 \u00e9 assinalado e bloqueado\u00a0pela McAfee\u00a0antes que a infec\u00e7\u00e3o seja conclu\u00edda.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">Todos os dom\u00ednios e\u00a0URLs\u00a0maliciosos s\u00e3o bloqueados\u00a0pela McAfee em nossos testes.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">3. Prote\u00e7\u00e3o de rede<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">As conex\u00f5es com infraestruturas maliciosas conhecidas (servidores C2) s\u00e3o bloqueadas\u00a0pela McAfee, impedindo a obten\u00e7\u00e3o do endere\u00e7o da carteira<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">4. Informa\u00e7\u00f5es sobre amea\u00e7as em tempo real<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Como essa amea\u00e7a foi\u00a0identificada na telemetria da McAfee, \u00e9 poss\u00edvel implementar rapidamente prote\u00e7\u00f5es para:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><span data-contrast=\"auto\">Bloquear variantes semelhantes<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><span data-contrast=\"auto\">Detectar infraestrutura relacionada<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li><span data-contrast=\"auto\">Proteger os clientes em todo o mundo<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h1><span class=\"TextRun SCXW230324404 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW230324404 BCX0\" data-ccp-parastyle=\"heading 1\">Como funciona a campanha de amea\u00e7as<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW230324404 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h1>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">O que o malware faz<\/span><span data-ccp-props=\"{\">\u00a0\u00a0<\/span><\/h2>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><span data-contrast=\"auto\">Instala\u00a0uma\u00a0<\/span><span data-contrast=\"auto\">extens\u00e3o\u00a0de navegador\u00a0sem que voc\u00ea perceba (sideloading de extens\u00e3o da Web)<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Monitora o que voc\u00ea copia e cola (principalmente endere\u00e7os de criptomoedas)<\/span><\/li>\n<li><span data-contrast=\"auto\">Atua quando voc\u00ea est\u00e1 fazendo uma transa\u00e7\u00e3o de criptomoeda<\/span><\/li>\n<li><span data-contrast=\"auto\">Substitui discretamente o endere\u00e7o da carteira pelo endere\u00e7o do invasor<\/span><\/li>\n<li><span data-contrast=\"auto\">Seus fundos s\u00e3o enviados para o invasor, em vez de para o destinat\u00e1rio pretendido<\/span><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ol>\n<li style=\"list-style-type: none;\"><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">Como as transa\u00e7\u00f5es de criptomoedas normalmente\u00a0<\/span><b><span data-contrast=\"auto\">n\u00e3o podem ser revertidas<\/span><\/b><span data-contrast=\"auto\">, <strong>as v\u00edtimas podem perder seus fundos permanentemente.<\/strong><\/span> <img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231930\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png\" alt=\"Figura 3. Resumo de como a extens\u00e3o funciona \" width=\"1024\" height=\"849\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-300x249.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-768x637.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-156x129.png 156w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM.png 1414w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/> <em>Figura 3. Resumo de como a extens\u00e3o funciona<\/em><\/p>\n<h2><span class=\"TextRun SCXW178309168 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW178309168 BCX0\" data-ccp-parastyle=\"heading 2\">Principais capacidades identificadas<\/span><\/span><span class=\"EOP Selected SCXW178309168 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<h3><span class=\"TextRun MacChromeBold SCXW263237166 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW263237166 BCX0\">1. Instala\u00e7\u00e3o da extens\u00e3o sem o conhecimento do usu\u00e1rio <\/span><\/span><span class=\"EOP Selected SCXW263237166 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">O malware n\u00e3o usa a loja oficial do navegador. Em vez disso, ele modifica\u00a0diretamente\u00a0os arquivos do navegador para fazer parecer que a extens\u00e3o est\u00e1 instalada.\u00a0(sideloading de extens\u00e3o do navegador)<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Isso contorna os avisos de seguran\u00e7a convencionais e ocorre sem que o usu\u00e1rio perceba.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231945\" aria-describedby=\"caption-attachment-231945\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231945\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png\" alt=\"Figura 4. Registros do Procmon mostrando que o BaseZipInstaller (instalador malicioso da web) est\u00e1 gravando nos arquivos Secure Preferences do Chrome e do Edge \" width=\"1024\" height=\"200\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-300x59.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-768x150.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1536x300.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-205x40.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM.png 1576w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231945\" class=\"wp-caption-text\"><em>Figura 4. Registros do Procmon mostrando que o BaseZipInstaller (instalador malicioso da Web) est\u00e1 gravando nos arquivos Secure Preferences do Chrome e do Edge<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun MacChromeBold SCXW45645796 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW45645796 BCX0\">2. Acesso total ao navegador<\/span><\/span><span class=\"EOP Selected SCXW45645796 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_231962\" aria-describedby=\"caption-attachment-231962\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231962\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png\" alt=\"Figura 5. Permiss\u00f5es necess\u00e1rias para a extens\u00e3o do Chrome \" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM.png 1184w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231962\" class=\"wp-caption-text\"><em>Figura 5. Permiss\u00f5es necess\u00e1rias da extens\u00e3o do Chrome<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_231977\" aria-describedby=\"caption-attachment-231977\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231977\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png\" alt=\"Figura 6. Arquivo de manifesto da extens\u00e3o da Web \" width=\"1024\" height=\"544\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-300x160.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-768x408.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1536x817.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-205x109.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM.png 1610w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231977\" class=\"wp-caption-text\"><em>Figura 6. Arquivo de manifesto da extens\u00e3o da Web<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">A extens\u00e3o maliciosa pede permiss\u00f5es excessivas, como:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Acesso a todos os sites<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Leitura do hist\u00f3rico de navega\u00e7\u00e3o<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Leitura e\u00a0modifica\u00e7\u00e3o\u00a0do conte\u00fado da\u00a0\u00e1rea de transfer\u00eancia<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><b><span data-contrast=\"auto\">3. Intercepta\u00e7\u00e3o de endere\u00e7os de criptomoedas<\/span><\/b><\/h3>\n<p><span data-contrast=\"auto\">A extens\u00e3o\u00a0cont\u00e9m\u00a0uma l\u00f3gica capaz de detectar endere\u00e7os de carteiras de v\u00e1rias criptomoedas, incluindo:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231992\" aria-describedby=\"caption-attachment-231992\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231992\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png\" alt=\"Figura 7. Regex de criptomoeda codificada e endere\u00e7o de fallback\" width=\"1024\" height=\"357\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-300x104.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-768x268.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1536x535.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM.png 1602w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231992\" class=\"wp-caption-text\"><em>Figura 7. Regex de criptomoeda codificada e endere\u00e7o de fallback<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Os endere\u00e7os de carteira de fallback exibidos no c\u00f3digo n\u00e3o s\u00e3o usados em todas as transa\u00e7\u00f5es; em vez disso, funcionam como um mecanismo de backup quando a recupera\u00e7\u00e3o din\u00e2mica de endere\u00e7os do servidor controlado pelo invasor falha.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Em condi\u00e7\u00f5es normais de funcionamento, a extens\u00e3o busca endere\u00e7os alternativos em um servidor remoto, permitindo a atribui\u00e7\u00e3o din\u00e2mica de carteiras, possivelmente com endere\u00e7os exclusivos para cada v\u00edtima.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Os endere\u00e7os de fallback garantem que o ataque\u00a0permane\u00e7a\u00a0funcional mesmo se a infraestrutura de comando e controle ficar temporariamente indispon\u00edvel ou for bloqueada.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232007\" aria-describedby=\"caption-attachment-232007\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232007\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png\" alt=\"Figura 8. Extens\u00e3o maliciosa realizando resolu\u00e7\u00e3o din\u00e2mica de endere\u00e7os de criptomoeda \" width=\"1024\" height=\"259\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1536x389.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232007\" class=\"wp-caption-text\"><em>Figura 8. Extens\u00e3o maliciosa realizando resolu\u00e7\u00e3o din\u00e2mica de endere\u00e7os criptogr\u00e1ficos<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Essa fun\u00e7\u00e3o\u00a0\u00e9 respons\u00e1vel por\u00a0obter o endere\u00e7o de carteira de substitui\u00e7\u00e3o controlado pelo invasor correspondente ao endere\u00e7o original da v\u00edtima.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ela envia o endere\u00e7o de carteira interceptado para o back-end do invasor e usa a resposta para substituir dinamicamente o endere\u00e7o original.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Se a solicita\u00e7\u00e3o ao backend falhar, a fun\u00e7\u00e3o recorre a um endere\u00e7o de carteira pr\u00e9-definido e codificado, garantindo que a atividade maliciosa continue sem interrup\u00e7\u00f5es.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">3J98t1Wxxxx \u00e9 o endere\u00e7o que foi copiado para a \u00e1rea de transfer\u00eancia<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><span class=\"TextRun MacChromeBold SCXW175329495 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW175329495 BCX0\">4<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">.\u00a0<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">Evas\u00e3o de detec\u00e7\u00e3o e furtividade<\/span><\/span><span class=\"EOP Selected SCXW175329495 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232022\" aria-describedby=\"caption-attachment-232022\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232022\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png\" alt=\"Figura 8. Arquivo settings.js, que mostra a configura\u00e7\u00e3o \" width=\"1024\" height=\"476\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-768x357.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1536x714.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-205x95.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232022\" class=\"wp-caption-text\"><em>Figura 8. Arquivo Settings.js que mostra a configura\u00e7\u00e3o<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">A configura\u00e7\u00e3o inclui uma chave de API fixa, que \u00e9 usada pela extens\u00e3o para autenticar a comunica\u00e7\u00e3o com a infraestrutura controlada pelo invasor.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Um URL RPC que aponta para um n\u00f3 p\u00fablico de blockchain \u00e9 utilizado para resolver dinamicamente informa\u00e7\u00f5es do servidor de back-end, permitindo que o invasor oculte a infraestrutura cr\u00edtica por tr\u00e1s de sistemas descentralizados.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A presen\u00e7a de um endere\u00e7o de contrato inteligente e de um m\u00e9todo\u00a0indica\u00a0que o malware recupera indiretamente o dom\u00ednio de comando e controle (C2) por meio de consultas \u00e0 blockchain, dificultando a interrup\u00e7\u00e3o da opera\u00e7\u00e3o e o rastreamento.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A lista de dom\u00ednios\u00a0bloqueados\u00a0cont\u00e9m sites de an\u00e1lise de blockchain nos quais a extens\u00e3o da\u00a0Web\u00a0n\u00e3o\u00a0funcionar\u00e1.\u00a0Isso \u00e9 feito para n\u00e3o alertar a v\u00edtima enquanto ela tenta colar seu\u00a0pr\u00f3prio endere\u00e7o e visualizar o\u00a0saldo\u00a0da carteira ou inspecionar suas transa\u00e7\u00f5es<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232037\" aria-describedby=\"caption-attachment-232037\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232037\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png\" alt=\"Figura 9. Como o invasor localiza seu dom\u00ednio C2 atrav\u00e9s de um contrato inteligente do Ethereum (etherhiding) \" width=\"1024\" height=\"425\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-768x318.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1536x637.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232037\" class=\"wp-caption-text\"><em>Figura 9. Como o invasor localiza seu dom\u00ednio C2 atrav\u00e9s de um contrato inteligente do Ethereum (etherhiding)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232052\" aria-describedby=\"caption-attachment-232052\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232052\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png\" alt=\"Figura 10. Carga \u00fatil da solicita\u00e7\u00e3o com o endere\u00e7o do contrato do Ethereum \" width=\"1024\" height=\"294\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-300x86.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-768x220.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1536x441.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-205x59.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232052\" class=\"wp-caption-text\"><em>Figura 10. Carga \u00fatil da solicita\u00e7\u00e3o com endere\u00e7o do contrato do Ethereum<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">A an\u00e1lise din\u00e2mica revelou que o malware resolve o dom\u00ednio de comando e controle por meio de um contrato inteligente da blockchain, que retornou o dom\u00ednio\u00a0<\/span><b><i><span data-contrast=\"auto\">devops-offensive[.]cc<\/span><\/i><\/b><span data-contrast=\"auto\">\u00a0em tempo de execu\u00e7\u00e3o.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A resposta da blockchain \u00e9 decodificada em tempo de execu\u00e7\u00e3o, revelando o dom\u00ednio C2 ativo (devops-offensive.cc).\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Esse dom\u00ednio n\u00e3o est\u00e1 embutido no c\u00f3digo, o que permite que o invasor atualize a infraestrutura sem precisar modificar o malware.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">O dom\u00ednio resolvido \u00e9 armazenado em cache localmente para\u00a0manter\u00a0a persist\u00eancia e reduzir consultas repetidas \u00e0 rede.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232067\" aria-describedby=\"caption-attachment-232067\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232067\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png\" alt=\"Figura 11. Essa imagem mostra a string codificada com o dom\u00ednio malicioso \" width=\"1024\" height=\"258\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1536x387.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232067\" class=\"wp-caption-text\"><em>Figura 11. Essa imagem mostra a string codificada com o dom\u00ednio malicioso<\/em><\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">Essa string <\/span><\/span><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">\u00e9 decodificada por esta\u00a0<\/span><span class=\"NormalTextRun SCXW196653296 BCX0\">fun\u00e7\u00e3o<\/span><span class=\"NormalTextRun SCXW196653296 BCX0\"> para retornar o dom\u00ednio final do invasor.<\/span><\/span><\/p>\n<figure id=\"attachment_232082\" aria-describedby=\"caption-attachment-232082\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232082\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png\" alt=\"Figura 12. Essa imagem mostra o dom\u00ednio final do invasor \" width=\"1024\" height=\"252\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-300x74.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-768x189.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1536x378.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-205x51.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232082\" class=\"wp-caption-text\"><em>Figura 12. Essa imagem mostra o dom\u00ednio final do invasor:<\/em><\/figcaption><\/figure>\n<h2><span class=\"TextRun SCXW127612542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW127612542 BCX0\" data-ccp-parastyle=\"heading 2\">T\u00e9cnicas de persist\u00eancia e evas\u00e3o<\/span><\/span><span class=\"EOP Selected SCXW127612542 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW32004784 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW32004784 BCX0\">A estrat\u00e9gia de persist\u00eancia e\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW32004784 BCX0\">evas\u00e3o<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\">\u00a0da campanha \u00e9 deliberada e apresenta v\u00e1rias camadas. O operador claramente\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW32004784 BCX0\">otimizou<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\">\u00a0dois aspectos: baixa visibilidade para o usu\u00e1rio final e alta resili\u00eancia contra interrup\u00e7\u00f5es da opera\u00e7\u00e3o e an\u00e1lise est\u00e1tica.<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW32004784 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Persist\u00eancia<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">O registro de extens\u00f5es por meio de adultera\u00e7\u00e3o dos arquivos Secure Preferences garante que a extens\u00e3o seja carregada em cada abertura\u00a0subsequente\u00a0do navegador, sem exigir qualquer mecanismo auxiliar de persist\u00eancia no Windows \u2014\u00a0<\/span><b><i><span data-contrast=\"auto\">sem chaves do Registro, tarefas agendadas ou servi\u00e7os normalmente inspecionados por investigadores de endpoints.<\/span><\/i><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">O modo de desenvolvedor \u00e9 ativado de forma programada quando\u00a0necess\u00e1rio, possibilitando que as extens\u00f5es descompactadas persistam sem desencadear um fluxo de &#8220;aviso de extens\u00f5es descompactadas&#8221;, exibido pelo Chromium para preven\u00e7\u00e3o de sideloading.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">O dom\u00ednio C2 armazenado em cache permite que a extens\u00e3o continue\u00a0operando\u00a0sobre um back-end notoriamente benigno, mesmo que o endpoint de RPC de blockchain esteja momentaneamente indispon\u00edvel.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Evas\u00e3o<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">A identidade vis\u00edvel da extens\u00e3o \u2014 um simples aplicativo de anota\u00e7\u00f5es chamado \u201cGoogle Notes\u201d \u2014 fornece uma cobertura plaus\u00edvel contra uma inspe\u00e7\u00e3o casual da lista de extens\u00f5es instaladas.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Os valores HMAC\u00a0<\/span><span data-contrast=\"auto\">recalculados satisfazem a verifica\u00e7\u00e3o de integridade do Chromium, evitando o aviso \u201cextens\u00e3o instalada de uma fonte desconhecida\u201d que, de outra forma, alertaria o usu\u00e1rio.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">O instalador se exclui automaticamente ap\u00f3s a execu\u00e7\u00e3o, removendo o indicador mais \u00f3bvio da presen\u00e7a\u00a0<\/span><span data-contrast=\"auto\">inicial\u00a0do comprometimento no disco.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A resolu\u00e7\u00e3o de C2<\/span><span data-contrast=\"auto\">\u00a0por meio de uma blockchain p\u00fablica significa que n\u00e3o h\u00e1 um dom\u00ednio C2 persistente observ\u00e1vel no pr\u00f3prio pacote do malware; as detec\u00e7\u00f5es baseadas em rede criadas com base em indicadores fixos no c\u00f3digo n\u00e3o ser\u00e3o acionadas at\u00e9 que o dom\u00ednio seja resolvido e contatado.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Variantes de instalador em m\u00faltiplas linguagens (.NET e Golang) reduzem a efic\u00e1cia de assinaturas bin\u00e1rias de recursos e anomalias de compila\u00e7\u00e3o.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A substitui\u00e7\u00e3o din\u00e2mica de carteiras por endere\u00e7o significa que os endere\u00e7os publicados pelo\u00a0invasor perdem\u00a0validade rapidamente e\u00a0n\u00e3o\u00a0se\u00a0tornam\u00a0entradas de lista de bloqueio duradouras \u2014 quem est\u00e1 se defendendo precisa bloquear o pr\u00f3prio servi\u00e7o de back-end, n\u00e3o os endere\u00e7os que ele fornece.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TrackedChange SCXW175054041 BCX0\"><span class=\"TextRun SCXW175054041 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW175054041 BCX0\" data-ccp-parastyle=\"heading 2\">L\u00f3gica de substitui\u00e7\u00e3o de carteira<\/span><\/span><\/span><span class=\"EOP Selected SCXW175054041 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">A l\u00f3gica do clipper est\u00e1 dividida em duas camadas: uma camada de script de conte\u00fado, que\u00a0monitora\u00a0a atividade da \u00e1rea de transfer\u00eancia e os campos de entrada das p\u00e1ginas da web em todas as origens visitadas, e uma camada em segundo plano, que se comunica com o back-end do invasor para obter endere\u00e7os de substitui\u00e7\u00e3o.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Quando a extens\u00e3o\u00a0detecta\u00a0um evento de c\u00f3pia, ela\u00a0aplica\u00a0um conjunto de express\u00f5es regulares espec\u00edficas de criptomoedas ao conte\u00fado da \u00e1rea de transfer\u00eancia. Se uma correspond\u00eancia for encontrada, o endere\u00e7o interceptado \u00e9 enviado ao back-end do<\/span><span data-contrast=\"auto\">\u00a0invasor por meio de uma solicita\u00e7\u00e3o autenticada (autenticada com a chave de API incorporada na configura\u00e7\u00e3o). O back-end responde com um endere\u00e7o de substitui\u00e7\u00e3o espec\u00edfico para o endere\u00e7o original enviado, e esse endere\u00e7o substituto \u00e9 gravado novamente na \u00e1rea de transfer\u00eancia, sobrescrevendo o endere\u00e7o leg\u00edtimo antes que a v\u00edtima consiga colar.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Testes realizados com um cliente de back-end reconstru\u00eddo \u2014 desenvolvido com uma reimplementa\u00e7\u00e3o do formato de solicita\u00e7\u00e3o de extens\u00e3o e da l\u00f3gica de decodifica\u00e7\u00e3o de respostas em Python \u2014 produziram um perfil\u00a0comportamental\u00a0revelador:<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Bitcoin<\/span><\/b><b><span data-contrast=\"auto\">\u00a0(BTC), Ethereum, Bitcoin Cash, Ripple e Dash:\u00a0<\/span><\/b><span data-contrast=\"auto\">cada\u00a0endere\u00e7o\u00a0enviado \u00e9 associado a um endere\u00e7o exclusivo controlado pelo invasor. O reenvio do mesmo endere\u00e7o original retorna o mesmo endere\u00e7o de substitui\u00e7\u00e3o,\u00a0indicando\u00a0um mapeamento determin\u00edstico individual (um para um)\u00a0mantido no\u00a0lado do servidor.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Solana:\u00a0<\/span><\/b><span data-contrast=\"auto\">todos os\u00a0endere\u00e7os\u00a0enviados s\u00e3o direcionados para um \u00fanico endere\u00e7o do invasor, sugerindo que o recurso de mapeamento por v\u00edtima \u00e9 implementado seletivamente para cada blockchain<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TextRun SCXW166026346 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\">Analisando<\/span><span class=\"NormalTextRun SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\">\u00a0as carteiras de criptomoedas dos invasores<\/span><\/span><span class=\"EOP Selected SCXW166026346 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Com base nos trechos\u00a0de c\u00f3digo\u00a0da extens\u00e3o do navegador respons\u00e1vel por recuperar endere\u00e7os de substitui\u00e7\u00e3o, foi preparado um script em Python para extrair automaticamente os endere\u00e7os das carteiras de criptomoedas dos invasores. A carga \u00fatil foi criada usando o pr\u00f3prio c\u00f3digo do invasor, e o trecho respons\u00e1vel por \u201cobter endere\u00e7o de substitui\u00e7\u00e3o\u201d foi extra\u00eddo diretamente desse c\u00f3digo. A l\u00f3gica usada pelo invasor para decodificar os dados recebidos do servidor C2 tamb\u00e9m foi fielmente reimplementada no script.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">O script foi ent\u00e3o executado usando alguns endere\u00e7os de carteiras de teste de Bitcoin\u00a0(BTC)\u00a0. Os resultados mostraram que, para cada endere\u00e7o de Bitcoin fornecido, um endere\u00e7o de Bitcoin exclusivo era retornado como resposta, e\u00a0todos\u00a0esses endere\u00e7os retornados eram carteiras\u00a0de\u00a0BTC v\u00e1lidas. Isso\u00a0indica\u00a0que, para cada endere\u00e7o de BTC fornecido, o invasor gera dinamicamente uma nova carteira vinculada a esse endere\u00e7o de entrada espec\u00edfico. Al\u00e9m disso, quando o mesmo endere\u00e7o foi fornecido novamente, o mesmo endere\u00e7o BTC foi retornado \u2014 o que confirma que\u00a0<\/span><b><span data-contrast=\"auto\">cada\u00a0endere\u00e7o\u00a0BTC das v\u00edtimas est\u00e1 mapeado de forma determin\u00edstica para um \u00fanico endere\u00e7o espec\u00edfico controlado pelo invasor<\/span><\/b><span data-contrast=\"auto\">. Embora algumas dessas carteiras dos invasores\u00a0contivessem\u00a0fundos e outras estivessem vazias, o n\u00famero total desconhecido de carteiras dos invasores dificulta estabelecer uma estimativa confi\u00e1vel de quanto de criptomoeda foi roubado no total.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">O mesmo\u00a0comportamento\u00a0foi\u00a0observado\u00a0no Ethereum, em que diferentes endere\u00e7os de carteira eram retornados para cada entrada. Curiosamente, quando o script foi testado com endere\u00e7os da blockchain Solana, apenas um \u00fanico endere\u00e7o era retornado, independentemente da quantidade de entradas diferentes fornecidas. Isso sugere que o invasor implementou o recurso de mapeamento por endere\u00e7o apenas para algumas redes de criptomoedas, enquanto outras utilizam uma \u00fanica carteira de destino est\u00e1tica. Como o endere\u00e7o da Solana \u00e9 compartilhado entre todas as v\u00edtimas, \u00e9 poss\u00edvel observar um aumento percept\u00edvel no saldo desse endere\u00e7o. Al\u00e9m disso, descobriu-se que um dos endere\u00e7os de Ethereum identificados continha aproximadamente 1.902 USD em fundos. <\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Em resumo, as <strong>criptomoedas<\/strong> para as quais s\u00e3o gerados<strong> endere\u00e7os exclusivos de carteira por v\u00edtima incluem Bitcoin, Ethereum, Bitcoin Cash, Ripple e Dash.<\/strong><\/span> <img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232098\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png\" alt=\"Fig. 13. A carga \u00fatil foi criada usando o c\u00f3digo do invasor \" width=\"1024\" height=\"455\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-300x133.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-768x342.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1536x683.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-205x91.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/> <em>Fig 13. A carga \u00fatil foi criada usando o c\u00f3digo do invasor<\/em><\/p>\n<figure id=\"attachment_232113\" aria-describedby=\"caption-attachment-232113\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232113\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png\" alt=\"Fig. 14. Obten\u00e7\u00e3o do trecho de c\u00f3digo de endere\u00e7o de substitui\u00e7\u00e3o extra\u00eddo do c\u00f3digo do invasor \" width=\"1024\" height=\"426\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-300x125.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-768x319.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1536x638.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232113\" class=\"wp-caption-text\"><em>Fig. 14. Obten\u00e7\u00e3o do trecho de c\u00f3digo de endere\u00e7o de substitui\u00e7\u00e3o extra\u00eddo do c\u00f3digo do invasor<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232128\" aria-describedby=\"caption-attachment-232128\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232128\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png\" alt=\"Fig. 15. A l\u00f3gica dos invasores para a decodifica\u00e7\u00e3o dos dados recebidos do C2 tamb\u00e9m foi implementada \" width=\"1024\" height=\"353\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-300x103.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-768x265.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1536x530.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232128\" class=\"wp-caption-text\">Fig. 15. A l\u00f3gica dos invasores para a decodifica\u00e7\u00e3o dos dados recebidos do C2 tamb\u00e9m foi implementada<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW94149359 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW94149359 BCX0\">Execu\u00e7\u00e3o do<\/span><span class=\"NormalTextRun SCXW94149359 BCX0\">\u00a0script usando alguns endere\u00e7os de carteiras Bitcoin de teste<\/span><\/span><span class=\"EOP Selected SCXW94149359 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_232143\" aria-describedby=\"caption-attachment-232143\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232143\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png\" alt=\"Fig. 16. Para cada endere\u00e7o de bitcoin, foi retornado um endere\u00e7o \u00fanico de bitcoin, e todos os endere\u00e7os s\u00e3o endere\u00e7os v\u00e1lidos de carteira de BTC \" width=\"1024\" height=\"977\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-300x286.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-768x733.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1536x1466.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-135x129.png 135w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM.png 1670w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232143\" class=\"wp-caption-text\"><em>Fig 16. Todos os endere\u00e7os Bitcoin exclusivos foram retornados e s\u00e3o endere\u00e7os v\u00e1lidos de carteiras BTC<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232161\" aria-describedby=\"caption-attachment-232161\" style=\"width: 992px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232161\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png\" alt=\"Fig. 17. Da mesma forma, o Ethereum apresentou endere\u00e7os exclusivos\" width=\"992\" height=\"966\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png 992w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-300x292.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-768x748.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-132x129.png 132w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-48x48.png 48w\" sizes=\"auto, (max-width: 992px) 100vw, 992px\" \/><figcaption id=\"caption-attachment-232161\" class=\"wp-caption-text\"><em>Fig. 17. Da mesma forma, o Ethereum apresentou endere\u00e7os exclusivos<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232176\" aria-describedby=\"caption-attachment-232176\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232176\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png\" alt=\"Fig. 18. Execu\u00e7\u00e3o do script para teste de endere\u00e7os Solana \" width=\"1024\" height=\"766\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-300x224.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-768x575.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-172x129.png 172w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM.png 1064w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232176\" class=\"wp-caption-text\">Figure 18. Execu\u00e7\u00e3o do script para teste de endere\u00e7os Solana<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW7609193 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7609193 BCX0\">Felizmente, no caso da Solana, estamos obtendo apenas 1 endere\u00e7o\u00a0<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\">quando v\u00e1rios endere\u00e7os s\u00e3o\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">fornecidos<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">. <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">Isso<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\">\u00a0mostra\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW7609193 BCX0\">que o invasor implementou esse recurso de mapeamento de endere\u00e7os<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\"> apenas em criptomoedas espec\u00edficas<\/span><\/span><span class=\"EOP Selected SCXW7609193 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<figure id=\"attachment_232191\" aria-describedby=\"caption-attachment-232191\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232191\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png\" alt=\"Fig. 19. Aqui \u00e9 poss\u00edvel ver um aumento no valor do saldo\" width=\"1024\" height=\"401\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-768x301.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-205x80.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM.png 1250w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232191\" class=\"wp-caption-text\"><em>Fig. 19. Aqui \u00e9 poss\u00edvel ver um aumento no valor do saldo<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232206\" aria-describedby=\"caption-attachment-232206\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232206\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png\" alt=\"Fig. 20. Foi identificado que o endere\u00e7o ETH possu\u00eda 1.902 USD \" width=\"1024\" height=\"580\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-300x170.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-768x435.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-205x116.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM.png 1310w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232206\" class=\"wp-caption-text\"><em>Fig. 20. Foi identificado que o endere\u00e7o ETH possu\u00eda 1.902 USD<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun SCXW154641437 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">An\u00e1lise\u00a0<\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">t\u00e9cnica do arquivo\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">.net<\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0(instalador de extens\u00e3o)<\/span><\/span><span class=\"EOP Selected SCXW154641437 BCX0\" data-ccp-props=\"{\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232222\" aria-describedby=\"caption-attachment-232222\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232222\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png\" alt=\"Fig. 21. BaseZipInstaller \u00e9 um instalador .NET que n\u00e3o possui assinatura digital \" width=\"1024\" height=\"817\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-300x239.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-768x613.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-162x129.png 162w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232222\" class=\"wp-caption-text\"><em>Fig. 21 O BaseZipInstaller \u00e9 um instalador .NET sem assinatura<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232237\" aria-describedby=\"caption-attachment-232237\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232237\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png\" alt=\"Fig. 22. Configura\u00e7\u00e3o armazenada conforme vista no DnSpy\" width=\"1024\" height=\"485\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-300x142.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-768x364.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-205x97.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM.png 1274w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232237\" class=\"wp-caption-text\"><em>Fig. 22 Configura\u00e7\u00e3o armazenada, como vista no Dnspy<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">O malware incorpora uma configura\u00e7\u00e3o\u00a0JSON\u00a0completa diretamente no bin\u00e1rio,\u00a0eliminando\u00a0a necessidade de buscar dados de configura\u00e7\u00e3o inicial em fontes externas.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Essa configura\u00e7\u00e3o incorporada inclui detalhes essenciais, como chaves de API, URL do servidor de back-end, extens\u00f5es de carteira visadas e o manifesto completo da extens\u00e3o com permiss\u00f5es abrangentes.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232252\" aria-describedby=\"caption-attachment-232252\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232252\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png\" alt=\"Fig. 23. Fun\u00e7\u00e3o principal a partir da qual a execu\u00e7\u00e3o \u00e9 iniciada \" width=\"1024\" height=\"404\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-768x303.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232252\" class=\"wp-caption-text\"><em>Fig. 23. Fun\u00e7\u00e3o principal a partir da qual a execu\u00e7\u00e3o come\u00e7a<\/em><\/figcaption><\/figure>\n<ul>\n<li><span class=\"TextRun SCXW122609328 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW122609328 BCX0\">O instalador recupera e\u00a0<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">valida<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0um arquivo ZIP remoto<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0(google-services<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">cc\/base<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">zip)<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">, que atua como a principal carga \u00fatil para instalar a extens\u00e3o de navegador maliciosa, marcando a transi\u00e7\u00e3o da\u00a0<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">infec\u00e7\u00e3o<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0inicial para o comprometimento do navegador.<\/span><\/span><span class=\"EOP Selected SCXW122609328 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232267\" aria-describedby=\"caption-attachment-232267\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232267\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png\" alt=\"Fig. 24. A extens\u00e3o \u00e9 criada no seguinte local do sistema com os arquivos baixados como base.zip\" width=\"1024\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-300x107.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-768x275.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-205x73.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM.png 1284w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232267\" class=\"wp-caption-text\"><em>Fig. 24. A extens\u00e3o \u00e9 criada no seguinte local do sistema com os arquivos baixados como base.zip.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232282\" aria-describedby=\"caption-attachment-232282\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232282\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png\" alt=\"Fig. 25. Lista de navegadores visados exibida no DnSpy\" width=\"1024\" height=\"460\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-300x135.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-768x345.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-205x92.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232282\" class=\"wp-caption-text\"><em>Fig. 25. Lista de navegadores visados exibida no DnSpy<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">O instalador percorre v\u00e1rios navegadores baseados em Chromium, incluindo Chrome, Edge, Opera e Brave,\u00a0identificando\u00a0os perfis de usu\u00e1rio dispon\u00edveis no sistema.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Para cada perfil detectado, o malware encerra\u00a0\u00e0 for\u00e7a\u00a0o processo do navegador para modificar\u00a0com seguran\u00e7a\u00a0os arquivos de configura\u00e7\u00e3o sem interfer\u00eancia.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Em seguida, ele injeta a extens\u00e3o maliciosa modificando\u00a0diretamente\u00a0os arquivos de configura\u00e7\u00e3o Secure Preferences e Preferences, permitindo que a extens\u00e3o seja carregada sem intera\u00e7\u00e3o do usu\u00e1rio.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<div class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-image-missing-alt aligncenter wp-image-232298 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png\" alt=\"mais c\u00f3digo\" width=\"1024\" height=\"637\" data-warning=\"Missing alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-300x187.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-768x478.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-205x127.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div>\n<ul>\n<li><span data-contrast=\"auto\">O malware\u00a0identifica\u00a0os caminhos de instala\u00e7\u00e3o dos navegadores consultando diret\u00f3rios padr\u00e3o do sistema, permitindo\u00a0localizar\u00a0as pastas de dados do usu\u00e1rio do Chrome, Edge, Opera e Brave.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ele enumera\u00a0sistematicamente\u00a0os perfis dos navegadores e procura especificamente a presen\u00e7a do arquivo Secure Preferences, que armazena configura\u00e7\u00f5es cr\u00edticas do navegador e dados de extens\u00f5es.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ao direcionar os perfis que cont\u00eam o arquivo Secure Preferences, o malware garante que\u00a0modifica\u00a0apenas ambientes de navegador v\u00e1lidos, aumentando a confiabilidade da inje\u00e7\u00e3o da extens\u00e3o.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232313\" aria-describedby=\"caption-attachment-232313\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232313\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png\" alt=\"\u00c9 poss\u00edvel observar o evento WriteFile nos arquivos Secure Preferences do Chrome e do MS Edge quando os detalhes da extens\u00e3o baixada s\u00e3o gravados nesses arquivos de configura\u00e7\u00e3o \" width=\"1024\" height=\"208\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-300x61.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-768x156.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-205x42.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM.png 1140w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232313\" class=\"wp-caption-text\"><em>\u00c9 poss\u00edvel observar o evento WriteFile no arquivo Secure Preferences do Chrome e do MS Edge quando os detalhes da extens\u00e3o baixada s\u00e3o gravados nesses arquivos de configura\u00e7\u00e3o.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232328\" aria-describedby=\"caption-attachment-232328\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232328\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png\" alt=\"Fig. 27. L\u00f3gica do invasor para reassinar os arquivos Secure Preferences\" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM.png 1276w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232328\" class=\"wp-caption-text\"><em>Fig. 27. L\u00f3gica do invasor para realizar a reassinatura dos arquivos Secure Preferences<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">O malware l\u00ea e\u00a0modifica\u00a0o\u00a0arquivo\u00a0Secure Preferences do navegador, que controla as extens\u00f5es instaladas e seu status de confian\u00e7a.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ele injeta a extens\u00e3o maliciosa na configura\u00e7\u00e3o e\u00a0tenta\u00a0reassinar os dados modificados, fazendo com que as altera\u00e7\u00f5es pare\u00e7am leg\u00edtimas nas verifica\u00e7\u00f5es de integridade do navegador.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">A configura\u00e7\u00e3o atualizada \u00e9 ent\u00e3o gravada novamente no disco, garantindo que a extens\u00e3o seja carregada automaticamente e permane\u00e7a ap\u00f3s reinicializa\u00e7\u00f5es do navegador.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232343\" aria-describedby=\"caption-attachment-232343\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232343\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png\" alt=\"Fig. 27B. O caminho da extens\u00e3o \u00e9 adicionado ao arquivo Secure Preferences do Chrome\" width=\"1024\" height=\"156\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-300x46.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-768x117.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-205x31.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232343\" class=\"wp-caption-text\"><em>Fig. 27B. O caminho da extens\u00e3o \u00e9 adicionado ao arquivo Secure Preferences do Chrome<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232358\" aria-describedby=\"caption-attachment-232358\" style=\"width: 968px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232358\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png\" alt=\"Fig. 28. L\u00f3gica para manipula\u00e7\u00e3o das defesas do navegador Brave \" width=\"968\" height=\"560\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png 968w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-300x174.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-768x444.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-205x119.png 205w\" sizes=\"auto, (max-width: 968px) 100vw, 968px\" \/><figcaption id=\"caption-attachment-232358\" class=\"wp-caption-text\"><em>Fig 28. L\u00f3gica para manipula\u00e7\u00e3o das defesas do navegador Brave<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Para navegadores como Brave e Opera, o malware injeta a extens\u00e3o maliciosa diretamente na\u00a0configura\u00e7\u00e3o\u00a0do navegador, adicionando entradas na se\u00e7\u00e3o\u00a0extensions.settings\u00a0(ou\u00a0extensions.opsettings).\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ele tamb\u00e9m atualiza campos relacionados \u00e0 integridade (protection.macs) para fazer com que a extens\u00e3o injetada pare\u00e7a confi\u00e1vel para o navegador.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Al\u00e9m disso, o malware\u00a0tenta\u00a0habilitar o modo de desenvolvedor programaticamente, permitindo que extens\u00f5es n\u00e3o empacotadas sejam executadas com menos restri\u00e7\u00f5es.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232373\" aria-describedby=\"caption-attachment-232373\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232373\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png\" alt=\"Fig. 29. L\u00f3gica do invasor para obter o ID do dispositivo, usado posteriormente no c\u00e1lculo dos valores de integridade \" width=\"1024\" height=\"704\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-300x206.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-768x528.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-188x129.png 188w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM.png 1272w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232373\" class=\"wp-caption-text\"><em>Fig. 29. L\u00f3gica do invasor para obter o ID do dispositivo, usado posteriormente no c\u00e1lculo dos valores de integridade<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">O malware\u00a0tenta\u00a0recalcular as assinaturas de integridade do navegador gerando novos valores MAC (c\u00f3digo de autentica\u00e7\u00e3o de mensagem) para o arquivo Secure Preferences modificado.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ele usa identificadores espec\u00edficos do sistema, como o SID da m\u00e1quina, combinados com um valor de semente para simular o mecanismo interno de verifica\u00e7\u00e3o do Chrome.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ao recalcular essas verifica\u00e7\u00f5es de integridade (macs e\u00a0super_mac), o malware tenta fazer com que suas modifica\u00e7\u00f5es n\u00e3o autorizadas pare\u00e7am leg\u00edtimas para o navegador.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232388\" aria-describedby=\"caption-attachment-232388\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232388\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png\" alt=\"Figura 30. L\u00f3gica de autoexclus\u00e3o\" width=\"1024\" height=\"507\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-300x149.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-768x380.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-205x102.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM.png 1252w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232388\" class=\"wp-caption-text\"><em>Figura 30. L\u00f3gica de autoexclus\u00e3o<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">O malware inclui um mecanismo de autoexclus\u00e3o projetado para remover o arquivo execut\u00e1vel do instalador ap\u00f3s a execu\u00e7\u00e3o bem-sucedida.\u00a0<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Ele inicia um processo oculto de prompt de comando que atrasa brevemente a execu\u00e7\u00e3o antes\u00a0de excluir\u00a0o arquivo original do\u00a0disco.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Conclus\u00e3o<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Esta campanha ilustra de forma concisa os rumos do roubo de criptomoedas direcionado aos consumidores. O autor da campanha tomou como base a categoria mais antiga e simples de malware de criptomoedas \u2014 o clipper \u2014 e, discretamente, aprimorou tr\u00eas de seus pontos mais fracos. Os endere\u00e7os est\u00e1ticos controlados pelo invasor foram substitu\u00eddos por\u00a0um mapeamento feito pelo servidor, espec\u00edfico para cada v\u00edtima. Dom\u00ednios de comando e controle (C2) vulner\u00e1veis, codificados diretamente no malware, foram substitu\u00eddos por uma consulta resolvida via blockchain que o operador pode alternar com uma \u00fanica transa\u00e7\u00e3o. E um dropper vulner\u00e1vel foi substitu\u00eddo por uma extens\u00e3o do Chromium integrada ao aplicativo em que o usu\u00e1rio mais confia, carregada sob a pr\u00f3pria assinatura de integridade do navegador.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\"><strong>A McAfee vai continuar acompanhando essa campanha e a infraestrutura relacionad<\/strong>a. Nossos clientes est\u00e3o protegidos pelos mecanismos de detec\u00e7\u00e3o j\u00e1 existentes e v\u00e3o se beneficiar de atualiza\u00e7\u00f5es baseadas em telemetria \u00e0 medida que novas variantes e infraestruturas alternadas forem identificadas.<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun MacChromeBold SCXW61108569 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW61108569 BCX0\" data-ccp-parastyle=\"heading 1\">Indicadores de Compromisso<\/span><\/span><span class=\"EOP Selected SCXW61108569 BCX0\" data-ccp-props=\"{\"> (IOC)<\/span><\/h2>\n<table style=\"font-weight: 400;\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"8\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Tipo<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Categoria<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Valor<\/span><\/b><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Instalador .NET (BaseZipInstaller)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf<\/span> <span data-contrast=\"none\"> 053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0<\/span> <span data-ccp-props=\"{\">\u00a0 \u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Variante do instalador compilada em Golang<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962\u2003\u2003<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"auto\">1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d\u2003\u2003<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">URL<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Distribui\u00e7\u00e3o da carga \u00fatil<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">hxxps:\/\/google-services[.]cc\/base[.]zip<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Dom\u00ednio<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Comando e Controle (resolvido por meio de contrato inteligente)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">devops-offensive[.]cc<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">Zebregts[.]com<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Carteira de BTC<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Carteira de criptomoedas<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj<\/span><span data-ccp-props=\"{\">\u00a0<\/span> <span data-contrast=\"none\">1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Artefato<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Alvo de sideload<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Arquivo Secure Preferences do Chromium (perfis do Chrome, Edge, Brave e Opera)<\/span><span data-ccp-props=\"{\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Arquivos de extens\u00e3o<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">manifest.json<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">crypto-patterns.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Interceptor.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">content-script.j<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">cache.js<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">domain-resolver.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">service-worker.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">api-client.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5<\/span><span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-contrast=\"none\">ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Por por Neil Tyagi Resumo executivo\u00a0 A equipe da McAfee Advanced Threat Research\u00a0identificou\u00a0uma campanha ativa de extens\u00f5es maliciosas de navegador&#8230;<\/p>\n","protected":false},"author":695,"featured_media":209109,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[11953],"tags":[],"coauthors":[4136],"class_list":["post-232868","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-seguranca-na-internet"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee<\/title>\n<meta name=\"description\" content=\"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"pt_BR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee\" \/>\n<meta property=\"og:description\" content=\"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog da McAfee\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-07-17T13:03:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-17T13:18:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. tempo de leitura\" \/>\n\t<meta name=\"twitter:data2\" content=\"24 minutes\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"McAfee Labs\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper\",\"datePublished\":\"2026-07-17T13:03:57+00:00\",\"dateModified\":\"2026-07-17T13:18:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\"},\"wordCount\":4776,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"articleSection\":[\"Seguran\u00e7a na Internet\"],\"inLanguage\":\"pt-BR\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\",\"name\":\"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"datePublished\":\"2026-07-17T13:03:57+00:00\",\"dateModified\":\"2026-07-17T13:18:49+00:00\",\"description\":\"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#breadcrumb\"},\"inLanguage\":\"pt-BR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"width\":600,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Seguran\u00e7a na Internet\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/\",\"name\":\"McAfee Blog\",\"description\":\"Not\u00edcias sobre seguran\u00e7a na Internet\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"pt-BR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"pt-BR\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/pt-br\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee","description":"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"pt_BR","og_type":"article","og_title":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee","og_description":"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.","og_url":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/","og_site_name":"Blog da McAfee","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-07-17T13:03:57+00:00","article_modified_time":"2026-07-17T13:18:49+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Escrito por":"McAfee Labs","Est. tempo de leitura":"24 minutes","Written by":"McAfee Labs"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper","datePublished":"2026-07-17T13:03:57+00:00","dateModified":"2026-07-17T13:18:49+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/"},"wordCount":4776,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","articleSection":["Seguran\u00e7a na Internet"],"inLanguage":"pt-BR"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/","url":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/","name":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper | Blog da McAfee","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","datePublished":"2026-07-17T13:03:57+00:00","dateModified":"2026-07-17T13:18:49+00:00","description":"Pesquisadores descobrem malware de extens\u00e3o de navegador que rouba criptomoedas substituindo endere\u00e7os de carteiras durante transa\u00e7\u00f5es.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#breadcrumb"},"inLanguage":"pt-BR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/"]}]},{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","width":600,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/malware-de-extensao-de-navegador-crypto-clipper-de-troca-de-carteira\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/pt-br\/"},{"@type":"ListItem","position":2,"name":"Seguran\u00e7a na Internet","item":"https:\/\/www.mcafee.com\/blogs\/pt-br\/seguranca-na-internet\/"},{"@type":"ListItem","position":3,"name":"Silent Swap: campanha usa extens\u00e3o de navegador como Crypto Clipper"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#website","url":"https:\/\/www.mcafee.com\/blogs\/pt-br\/","name":"McAfee Blog","description":"Not\u00edcias sobre seguran\u00e7a na Internet","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/pt-br\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"pt-BR"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/pt-br\/","logo":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"pt-BR","@id":"https:\/\/www.mcafee.com\/blogs\/pt-br\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/pt-br\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/posts\/232868","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/comments?post=232868"}],"version-history":[{"count":4,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/posts\/232868\/revisions"}],"predecessor-version":[{"id":232881,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/posts\/232868\/revisions\/232881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/media\/209109"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/media?parent=232868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/categories?post=232868"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/tags?post=232868"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/pt-br\/wp-json\/wp\/v2\/coauthors?post=232868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}