{"id":231741,"date":"2026-06-30T04:45:15","date_gmt":"2026-06-30T11:45:15","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=231741"},"modified":"2026-06-30T07:30:53","modified_gmt":"2026-06-30T14:30:53","slug":"crypto-clipper-wallet-swapping-browser-extension-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/","title":{"rendered":"Silent Swap: A Crypto Clipper Extension Campaign"},"content":{"rendered":"<p style=\"text-align: center;\"><em>Authored by Neil Tyagi<\/em><\/p>\n<h2><b><span data-contrast=\"none\">Executive Summary<\/span><\/b><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">McAfee Advanced Threat Research has\u00a0identified\u00a0<strong>an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses the moment a user\u00a0initiates\u00a0a transaction<\/strong>. The campaign is delivered through unsigned installers \u2014\u00a0observed\u00a0in both .NET and Golang variants \u2014 that deploy a malicious Chromium extension masquerading as a benign \u201cGoogle Notes\u201d utility.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This campaign is related to\u00a0a previous\u00a0blog published by\u00a0McAfee\u00a0Labs,\u00a0<\/span><a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/sinkholing-countloader-insights-into-its-recent-campaign\/\"><i><span data-contrast=\"none\">Sinkholing CountLoader: Insights into Its Recent Campaign<\/span><\/i><span data-contrast=\"none\">,<\/span><\/a><span data-contrast=\"auto\">\u00a0as the threat\u00a0actor\u00a0appears\u00a0to be\u00a0the\u00a0same\u00a0behind<\/span><span data-contrast=\"auto\">\u00a0both\u00a0<\/span><span data-contrast=\"auto\">operations<\/span><span data-contrast=\"auto\">.<\/span><span data-contrast=\"auto\">\u00a0In that earlier research, we\u00a0analyzed\u00a0a crypto clipper payload that was injected directly into\u00a0memory. Here, we examine a different variant of the final-stage payload: a browser-based malicious extension designed to intercept and manipulate cryptocurrency transactions.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In this report, we detail how the extension\u00a0operates\u00a0and provide a technical analysis of the mechanisms that make this threat particularly\u00a0unique. The\u00a0extension behaves as a clipboard-aware crypto clipper: it\u00a0monitors\u00a0copy-and-paste activity,\u00a0identifies\u00a0wallet addresses across multiple blockchains, and swaps them for attacker-controlled addresses just before the victim pastes\u00a0the content. Because most\u00a0Blockchain transactions are irreversible, even\u00a0a single uninterrupted execution is enough to cause permanent\u00a0financial loss.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Two characteristics elevate this campaign above the typical clipper threat:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ol>\n<li><b><span data-contrast=\"auto\">Chromium trust-layer abuse.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">The installer secretly forces a malicious browser extension into Chromium-based browsers like Google Chrome, Brave, and Microsoft Edge by\u00a0modifying\u00a0protected browser settings files. Normally, these browsers store security verification data (hash\/HMAC values) alongside sensitive settings to detect unauthorized changes<\/span><b><span data-contrast=\"auto\">.<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><span data-contrast=\"auto\">The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately. This allows the extension to bypass the normal extension web store installation process and load silently without user approval. However for updated Chrome and edge browser, Victim must manually turn on the developer mode for the extension to load properly, but people with outdated versions of chromium based browsers, remain at high risk. Moreover, for latest versions as well threat attacker can employ social engineering tactics to enable developer mode.<\/span><\/li>\n<li><span data-contrast=\"auto\"><strong>Blockchain-resolved command-and-control<\/strong>. The extension does not\u00a0contain\u00a0a hardcoded C2 domain. Instead, it queries a public blockchain RPC endpoint, invokes a read-only smart-contract method, and decodes the response at runtime to reveal its active C2\u00a0observed at the time of analysis as\u00a0<\/span><span data-contrast=\"none\">Zebregts[.]com<\/span>&nbsp;\n<p><span data-contrast=\"auto\">This technique, often referred to as <strong>\u201cEtherHiding,\u201d\u00a0<\/strong>complicates\u00a0takedown\u00a0efforts\u00a0because the attacker can rotate infrastructure by updating a smart-contract value rather than redeploying malware.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span class=\"TextRun SCXW228011278 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW228011278 BCX0\">McAfee telemetry\u00a0<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">indicates<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">\u00a0a globally distributed infection footprint with a pronounced concentration in India. The breadth of the geography suggests opportunistic\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW228011278 BCX0\">targeting of<\/span><span class=\"NormalTextRun SCXW228011278 BCX0\">\u00a0consumer cryptocurrency users rather than a region-specific operation.<\/span><\/span><span class=\"EOP Selected SCXW228011278 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW20172865 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW20172865 BCX0\" data-ccp-parastyle=\"heading 2\">Geographical Prevalence\u00a0<\/span><\/span><span class=\"EOP Selected SCXW20172865 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<figure id=\"attachment_231885\" aria-describedby=\"caption-attachment-231885\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231885\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png\" alt=\"A map of the world showing countries impacted by this cybersecurity threat.\" width=\"1024\" height=\"574\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-1024x574.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-300x168.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-768x431.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM-205x115.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.34.05\u202fPM.png 1462w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231885\" class=\"wp-caption-text\">Our research shows that these are the most affected regions of the globe.<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">Telemetry analysis\u00a0<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">indicates<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0that<strong>\u00a0<\/strong><\/span><\/span><strong><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">infections are globally distributed<\/span><\/span><\/strong><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">, with a significantly\u00a0<\/span><\/span><span class=\"TextRun MacChromeBold SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">higher concentration\u00a0<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">observed<\/span><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0in India<\/span><\/span><span class=\"TextRun SCXW160185877 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW160185877 BCX0\">\u00a0compared to other regions.\u00a0<\/span><\/span><span class=\"EOP Selected SCXW160185877 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span class=\"TextRun SCXW109407542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW109407542 BCX0\">The widespread geographic presence highlights the campaign\u2019s broad reach, suggesting opportunistic targeting rather than a region-specific attack.<\/span><\/span><span class=\"EOP Selected SCXW109407542 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun SCXW34834531 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW34834531 BCX0\" data-ccp-parastyle=\"heading 2\">The Malicious Extension: \u201cGoogle Notes\u201d<\/span><\/span><span class=\"EOP Selected SCXW34834531 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW148697599 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW148697599 BCX0\">This malware is masquerading as a\u00a0<\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">seemingly harmless<\/span><span class=\"NormalTextRun SCXW148697599 BCX0\">\u00a0Google Notes extension.<\/span><\/span><span class=\"EOP Selected SCXW148697599 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231900\" aria-describedby=\"caption-attachment-231900\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231900\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png\" alt=\"The malicious Google Chrome extension.\" width=\"1024\" height=\"818\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1024x818.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-300x240.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-768x614.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-1536x1228.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM-161x129.png 161w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.45.32\u202fPM.png 1554w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231900\" class=\"wp-caption-text\"><em>Figure 1. This image shows the malicious extension at the center of this campaign<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p><span data-contrast=\"auto\">The dropped extension presents as a minimalist, legitimate-looking note-taking application branded as \u201cGoogle Notes,\u201d complete with a clean icon and a functional (&amp; simplistic) user interface. <\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The cover is calculated: a user who manually opens the extension finds something that behaves as advertised, dampening suspicion. The\u00a0extension\u2019s\u00a0malicious logic is implemented in background service-worker scripts and content scripts that\u00a0operate\u00a0entirely out of view of the UI.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><b><span data-contrast=\"auto\">A\u00a0major red flag\u00a0first appears when adding the extension, which\u00a0requests\u00a0<\/span><\/b><b><span data-contrast=\"auto\">\u00a0security<\/span><\/b><b><span data-contrast=\"auto\">\u00a0<\/span><\/b><b><span data-contrast=\"auto\">permissions<\/span><\/b><b><span data-contrast=\"auto\">\u00a0and access that<\/span><\/b><b><span data-contrast=\"auto\">\u00a0are disproportionate to a\u00a0<\/span><\/b><b><span data-contrast=\"auto\">typical\u00a0<\/span><\/b><b><span data-contrast=\"auto\">notes\u00a0applicatio<\/span><\/b><strong>n:<\/strong><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Access to all\u00a0URLs ,\u00a0granting content-script injection into every site the user visits.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Browsing\u00a0history access.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Read and write access to the clipboard.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Mitigation and Recommendations<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">For Consumers<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<ol>\n<li><span data-contrast=\"auto\">Before confirming any cryptocurrency transaction,\u00a0<\/span><b><span data-contrast=\"auto\">visually verify the first and last six characters of the\u00a0recipient\u00a0address<\/span><\/b><span data-contrast=\"auto\">\u00a0against the original source \u2014 ideally on a separate device.\u00a0This single habit defeats the overwhelming majority of clipper attacks.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Install browser extensions exclusively from the official Chrome Web Store<\/span><\/b><span data-contrast=\"auto\">, Edge Add-ons store, or equivalent. An extension that appears in your installed list without a clear memory of having installed it should be treated as suspicious.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Review the permissions granted to every installed extension<\/span><\/b><span data-contrast=\"auto\">. A note-taking tool has no legitimate need for access to all websites, browsing history, or\u00a0the clipboard.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Avoid running unsigned executables\u00a0<\/span><\/b><span data-contrast=\"auto\">obtained from non-authoritative sources, particularly those offering free or cracked versions of paid software \u2014 a common delivery vector for this category of installer.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Keep endpoint protection up to date and enabled<\/span><\/b><span data-contrast=\"auto\">; McAfee customers are protected against this specific campaign as described below.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<\/ol>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">McAfee security solutions help safeguard users at multiple levels:<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<h4><b><span data-contrast=\"auto\">1. McAfee detects this threat as CryptoStealer.NE and keeps our customers safe<\/span><\/b><span data-ccp-props=\"{}\">\u00a0<\/span><\/h4>\n<figure id=\"attachment_231915\" aria-describedby=\"caption-attachment-231915\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-231915\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png\" alt=\"Figure 2. This image shows McAfee Antivirus blocking this threat for consumers. \" width=\"1024\" height=\"513\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1024x513.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-300x150.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-768x385.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-1536x770.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM-205x103.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.48.38\u202fPM.png 1608w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231915\" class=\"wp-caption-text\"><em>Figure 2. This image shows McAfee Antivirus blocking this threat for consumers.<\/em><\/figcaption><\/figure>\n<h4><b><span data-contrast=\"auto\">2. Malicious Download Protection<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">The\u00a0installer\u2019s\u00a0behavior\u2014downloading and executing remote payloads\u2014is flagged and blocked\u00a0by McAfee\u00a0before infection completes.<\/span><span data-contrast=\"auto\">\u00a0<\/span><span data-contrast=\"auto\">All the malicious domains and\u00a0URLs\u00a0are blocked\u00a0by McAfee in our tests.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">3. Network Protection<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Connections to known malicious infrastructure (C2 servers) are blocked\u00a0by McAfee, preventing Wallet address retrieval<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<h4><b><span data-contrast=\"auto\">4. Real-Time Threat Intelligence<\/span><\/b><\/h4>\n<p><span data-contrast=\"auto\">Because this threat was\u00a0identified\u00a0in McAfee telemetry, protections can be rapidly deployed to:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Block similar variants<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Detect related infrastructure<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Protect customers globally<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h1><span class=\"TextRun SCXW230324404 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW230324404 BCX0\" data-ccp-parastyle=\"heading 1\">How The Threat Campaign Works<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW230324404 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:360,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h1>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">What the Malware Does\u00a0<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<ol>\n<li><span data-contrast=\"auto\">Installs\u00a0a\u00a0<\/span><span data-contrast=\"auto\">browser\u00a0extension\u00a0silently (web extension sideloading)<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Monitors what you copy and paste (especially crypto addresses)<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Works when you are making a crypto transaction<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Silently replaces the wallet address with the attacker\u2019s address<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Your funds are sent to the attacker instead of the intended recipient<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ol>\n<p><span data-contrast=\"auto\">Because cryptocurrency transactions are typically\u00a0<\/span><b><span data-contrast=\"auto\">non-reversible<\/span><\/b><span data-contrast=\"auto\">, <strong>victims may permanently lose funds.<\/strong><\/span><strong>\u00a0<\/strong><\/p>\n<figure id=\"attachment_231930\" aria-describedby=\"caption-attachment-231930\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231930\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png\" alt=\"Figure 3. How the extension works in a nutshell \" width=\"1024\" height=\"849\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-1024x849.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-300x249.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-768x637.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM-156x129.png 156w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.52.11\u202fPM.png 1414w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231930\" class=\"wp-caption-text\"><em>Figure 3. How the extension works in a nutshell<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><span class=\"TextRun SCXW178309168 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW178309168 BCX0\" data-ccp-parastyle=\"heading 2\">Key Capabilities Identified<\/span><\/span><span class=\"EOP Selected SCXW178309168 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<h3><span class=\"TextRun MacChromeBold SCXW263237166 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW263237166 BCX0\">1. Silent Extension Installation<\/span><\/span><span class=\"EOP Selected SCXW263237166 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<p><span data-contrast=\"auto\">The malware does not use the official browser store. Instead, it directly\u00a0modifies\u00a0browser files to make the extension appear installed.\u00a0(Sideloading Browser Extension)<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">This bypasses normal security prompts and user awareness.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231945\" aria-describedby=\"caption-attachment-231945\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231945\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png\" alt=\"Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into chrome and edge secure preference files \" width=\"1024\" height=\"200\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1024x200.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-300x59.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-768x150.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-1536x300.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM-205x40.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.56.11\u202fPM.png 1576w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231945\" class=\"wp-caption-text\"><em>Figure 4. Procmon logs showing BaseZipInstaller (malicious web installer) writing into Chrome and Edge secure preference files<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun MacChromeBold SCXW45645796 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW45645796 BCX0\">2. Full Browser Access<\/span><\/span><span class=\"EOP Selected SCXW45645796 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_231962\" aria-describedby=\"caption-attachment-231962\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231962\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png\" alt=\"Figure 5. Chrome extension Permissions required \" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-1.58.49\u202fPM.png 1184w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231962\" class=\"wp-caption-text\"><em>Figure 5. Chrome extension Permissions required<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_231977\" aria-describedby=\"caption-attachment-231977\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231977\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png\" alt=\"Figure 6. Manifest file for web extension \" width=\"1024\" height=\"544\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1024x544.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-300x160.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-768x408.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-1536x817.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM-205x109.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.06.09\u202fPM.png 1610w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231977\" class=\"wp-caption-text\"><em>Figure 6. Manifest file for web extension<\/em><\/figcaption><\/figure>\n<p><span data-contrast=\"auto\">The malicious extension requests excessive permissions such as:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<ul>\n<li><span data-contrast=\"auto\">Access to all websites<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Reading browsing history<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Reading and\u00a0modifying\u00a0clipboard\u00a0content<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><b><span data-contrast=\"auto\">3. Crypto Address Interception<\/span><\/b><\/h3>\n<p><span data-contrast=\"auto\">The extension\u00a0contains\u00a0logic to detect wallet addresses across multiple cryptocurrencies, including:<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_231992\" aria-describedby=\"caption-attachment-231992\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-231992\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png\" alt=\"Figure 7. Hardcoded cryptocurrency Regex and fallback address\" width=\"1024\" height=\"357\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1024x357.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-300x104.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-768x268.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-1536x535.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.07.40\u202fPM.png 1602w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-231992\" class=\"wp-caption-text\"><em>Figure 7. Hardcoded cryptocurrency Regex and fallback address<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The fallback wallet addresses shown in the code are not used for every transaction; instead, they serve as a backup mechanism when dynamic address retrieval from the attacker-controlled server fails.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Under normal operation, the extension fetches replacement addresses from a remote server, enabling dynamic and potentially per-victim wallet assignment.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Fallback addresses ensure the attack\u00a0remains\u00a0functional even if the command-and-control infrastructure is temporarily unavailable or blocked.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232007\" aria-describedby=\"caption-attachment-232007\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232007\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png\" alt=\"Figure 8. Malicious extension performing dynamic crypto address resolution \" width=\"1024\" height=\"259\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1024x259.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-1536x389.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.08.43\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232007\" class=\"wp-caption-text\"><em>Figure 8. Malicious extension performing dynamic crypto address resolution<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">This function\u00a0is responsible for\u00a0obtaining the attacker-controlled replacement wallet address corresponding to a victim\u2019s original address.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">If the backend request fails, the function falls back to a predefined hardcoded wallet address, ensuring uninterrupted malicious activity.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">3J98t1Wxxxx is the address that was copied in the clipboard<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3><span class=\"TextRun MacChromeBold SCXW175329495 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW175329495 BCX0\">4<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">.\u00a0<\/span><span class=\"NormalTextRun SCXW175329495 BCX0\">Detection evasion and stealth<\/span><\/span><span class=\"EOP Selected SCXW175329495 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232022\" aria-describedby=\"caption-attachment-232022\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232022\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png\" alt=\"Figure 8. settings.js file which shows config \" width=\"1024\" height=\"476\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1024x476.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-300x139.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-768x357.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-1536x714.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM-205x95.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.13.51\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232022\" class=\"wp-caption-text\"><em>Figure 8. Settings.js file which shows config<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The configuration includes a hardcoded API key, which is used by the extension to authenticate communication with attacker-controlled infrastructure.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">An RPC URL pointing to a public blockchain node is\u00a0leveraged\u00a0to dynamically resolve backend server information, allowing the attacker to hide critical infrastructure behind decentralized systems.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The presence of a smart contract address and method\u00a0indicates\u00a0that the malware retrieves its command-and-control (C2) domain indirectly via blockchain queries, making takedown and tracking more difficult.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Blacklisted domains\u00a0contains\u00a0a list of blockchain inspection related websites where the web\u00a0extension\u00a0will not\u00a0work ,\u00a0this is done to not alert the victim while he is trying to paste his\u00a0own address and view the\u00a0balance\u00a0of his wallet or inspect his wallet transactions<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232037\" aria-describedby=\"caption-attachment-232037\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232037\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png\" alt=\"Figure 9. Resolving attacker c2 domain via etherium smart contract (etherhiding) \" width=\"1024\" height=\"425\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1024x425.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-300x124.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-768x318.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-1536x637.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.17.42\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232037\" class=\"wp-caption-text\"><em>Figure 9. Resolving attacker C2 domain via Ethereum smart contract (etherhiding)<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232052\" aria-describedby=\"caption-attachment-232052\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232052\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png\" alt=\"Figure 10. Request payload with Ethereum contract address \" width=\"1024\" height=\"294\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1024x294.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-300x86.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-768x220.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-1536x441.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM-205x59.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.19.26\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232052\" class=\"wp-caption-text\"><em>Figure 10. Request payload with Ethereum contract address<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">Dynamic analysis revealed that the malware resolves its command-and-control domain via a blockchain smart contract, which returned the domain\u00a0<\/span><b><i><span data-contrast=\"auto\">devops-offensive[.]cc<\/span><\/i><\/b><span data-contrast=\"auto\">\u00a0at runtime.\u00a0<\/span><span data-ccp-props=\"{&quot;335559685&quot;:90,&quot;335559991&quot;:180}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The response from the blockchain is decoded at runtime, revealing the active C2 domain (devops-offensive.cc).\u00a0<\/span><span data-ccp-props=\"{&quot;335559685&quot;:90,&quot;335559991&quot;:180}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">This domain is not hardcoded, enabling the attacker to update infrastructure without\u00a0modifying\u00a0the malware.\u00a0<\/span><span data-ccp-props=\"{&quot;335559685&quot;:90,&quot;335559991&quot;:180}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The resolved domain is cached locally to\u00a0maintain\u00a0persistence and reduce repeated network queries.<\/span><span data-ccp-props=\"{&quot;335559685&quot;:90,&quot;335559991&quot;:180}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232067\" aria-describedby=\"caption-attachment-232067\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232067\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png\" alt=\"Figure 11. This image shows the long-encoded string with the malicious domain \" width=\"1024\" height=\"258\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1024x258.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-300x76.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-768x194.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-1536x387.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM-205x52.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.21.03\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232067\" class=\"wp-caption-text\"><em>Figure 11. This image shows the long-encoded string with the malicious domain<\/em><\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">This Long<\/span><\/span><span class=\"TrackedChange SCXW196653296 BCX0\"><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">&#8211;<\/span><\/span><\/span><span class=\"TextRun SCXW196653296 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW196653296 BCX0\">encoded string is decoded using this\u00a0<\/span><span class=\"NormalTextRun SCXW196653296 BCX0\">function<\/span><span class=\"NormalTextRun SCXW196653296 BCX0\"> to give the final attacker domain.<\/span><\/span><\/p>\n<figure id=\"attachment_232082\" aria-describedby=\"caption-attachment-232082\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-suspicious-alt size-large wp-image-232082\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png\" alt=\"Figure 12. This image shows the final attacker domain \" width=\"1024\" height=\"252\" data-warning=\"Suspicious alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1024x252.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-300x74.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-768x189.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-1536x378.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM-205x51.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.22.15\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232082\" class=\"wp-caption-text\"><em>Figure 12. This image shows the final attacker domain<\/em><\/figcaption><\/figure>\n<h2><span class=\"TextRun SCXW127612542 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW127612542 BCX0\" data-ccp-parastyle=\"heading 2\">Persistence and Evasion Techniques<\/span><\/span><span class=\"EOP Selected SCXW127612542 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span class=\"TextRun SCXW32004784 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW32004784 BCX0\">The campaign\u2019s persistence and\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW32004784 BCX0\">evasion<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\">\u00a0posture is deliberate and layered. The operator has clearly\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW32004784 BCX0\">optimized<\/span><span class=\"NormalTextRun SCXW32004784 BCX0\">\u00a0for two properties: low visibility to the end user, and high resilience against takedown and static analysis.<\/span><\/span><span class=\"EOP Selected TrackedChange SCXW32004784 BCX0\" data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Persistence<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">Extension registration through Secure Preferences tampering ensures the extension loads on every\u00a0subsequent\u00a0browser launch without requiring any auxiliary Windows persistence mechanism \u2014\u00a0<\/span><b><i><span data-contrast=\"auto\">no registry Run keys, scheduled tasks, or services that endpoint hunters typically inspect.<\/span><\/i><\/b><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Developer mode is enabled programmatically where\u00a0required, allowing unpacked extensions to persist without triggering the periodic \u201cunpacked extensions warning\u201d flow that Chromium displays to dissuade sideloading.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The cached C2 domain allows the extension to continue\u00a0operating\u00a0against a known-good backend even if the blockchain RPC endpoint is briefly unavailable.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<\/ul>\n<h3 aria-level=\"3\"><span data-contrast=\"none\">Evasion<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<ul>\n<li><span data-contrast=\"auto\">The extension\u2019s visible identity \u2014 a simple \u201cGoogle Notes\u201d note-taking application \u2014 provides plausible cover against casual inspection of the installed extensions list.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Recomputed HMAC\u00a0<\/span><span data-contrast=\"auto\">values satisfy Chromium\u2019s integrity verification, avoiding the \u201cextension installed by an unknown source\u201d warning banner that would otherwise alert the user.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The installer self-deletes after execution, removing the most obvious on-disk indicator of\u00a0<\/span><span data-contrast=\"auto\">initial\u00a0compromise.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">C2<\/span><span data-contrast=\"auto\">\u00a0resolution through a public blockchain means that there is no persistent C2 domain observable in the malware bundle itself; network-based detections built against hardcoded indicators will not fire until the domain is resolved and contacted.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Multi-language installer variants (.NET and Golang) reduce the effectiveness of compile-artifact and binary-feature signatures.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Per-address dynamic wallet substitution means that published\u00a0attacker addresses\u00a0age rapidly and\u00a0do\u00a0not\u00a0generalize\u00a0into durable blocklist entries \u2014 the defender must block the backend service itself, not the addresses it dispenses.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TrackedChange SCXW175054041 BCX0\"><span class=\"TextRun SCXW175054041 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW175054041 BCX0\" data-ccp-parastyle=\"heading 2\">Wallet Substitution Logic<\/span><\/span><\/span><span class=\"EOP Selected SCXW175054041 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">The clipper logic sits in two layers: a content-script layer that\u00a0monitors\u00a0clipboard activity and DOM input fields across every visited origin, and a background layer that communicates with the attacker backend to retrieve replacement addresses.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">When the extension\u00a0observes\u00a0a copy event, it\u00a0applies\u00a0a set of cryptocurrency-specific regular expressions to the clipboard payload. If a match is found, the intercepted address is transmitted to the attacker<\/span><span data-contrast=\"auto\">\u2019s<\/span><span data-contrast=\"auto\">\u00a0backend over an authenticated request (authenticated with the API key embedded in the configuration). The backend responds with a replacement address specific to the submitted original, and that replacement is written back to the clipboard, overwriting the legitimate address before the victim can paste.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">Testing against a reconstructed backend client \u2014 built by re-implementing the extension\u2019s request format and response-decoding logic in Python \u2014 produced a revealing\u00a0behavioural\u00a0profile:<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<ul>\n<li><b><span data-contrast=\"auto\">Bitcoin<\/span><\/b><b><span data-contrast=\"auto\">\u00a0(BTC), Ethereum, Bitcoin Cash, Ripple, and Dash:\u00a0<\/span><\/b><span data-contrast=\"auto\">Each\u00a0submitted\u00a0address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement,\u00a0indicating\u00a0a deterministic one-to-one\u00a0mapping maintained\u00a0server-side.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<li><b><span data-contrast=\"auto\">Solana:\u00a0<\/span><\/b><span data-contrast=\"auto\">All\u00a0submitted\u00a0addresses collapse to a single attacker address, suggesting the per-victim mapping feature is selectively implemented per chain<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559685&quot;:540,&quot;335559739&quot;:0,&quot;335559740&quot;:300,&quot;335559991&quot;:270}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2><span class=\"TextRun SCXW166026346 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SpellingErrorV2Themed SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\">Analyzing<\/span><span class=\"NormalTextRun SCXW166026346 BCX0\" data-ccp-parastyle=\"heading 2\">\u00a0Attacker Crypto Wallets<\/span><\/span><span class=\"EOP Selected SCXW166026346 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">Based on the\u00a0code\u00a0snippets from the web extension responsible for retrieving replacement addresses, a Python script was prepared to programmatically extract attacker wallet addresses. The payload was crafted using the attacker&#8217;s own code, and the &#8220;get replacement address&#8221; snippet was lifted directly from it. The attacker&#8217;s logic for decoding data received from the C2 server was also faithfully reimplemented in the script.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The script was then executed using a few test Bitcoin\u00a0(BTC)\u00a0wallet addresses. The results showed that for every Bitcoin address provided, a unique Bitcoin address was returned in response, and\u00a0all of\u00a0these returned addresses were\u00a0valid\u00a0BTC wallets. This\u00a0indicates\u00a0that for every BTC address supplied, the attacker dynamically generates a new wallet tied to that specific input address. Furthermore, when the same address was provided again, the same BTC address was returned \u2014 confirming that\u00a0<\/span><b><span data-contrast=\"auto\">each\u00a0victim\u00a0BTC address is deterministically mapped to a single, specific attacker-controlled address<\/span><\/b><span data-contrast=\"auto\">. While some of these attacker wallets\u00a0contained\u00a0funds and others were empty, the unknown total number of attacker wallets makes it difficult to put a reliable estimate on how much cryptocurrency has been stolen overall.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">The same\u00a0behavior\u00a0was\u00a0observed\u00a0for Ethereum, where different wallet addresses were returned for each input. Interestingly, when the script was tested with Solana addresses, only a single address was returned regardless of how many different inputs were provided. This suggests that the attacker has implemented the per-address mapping feature only for specific cryptocurrencies, while others fall back to a single static drop wallet. Because the Solana address is shared across all victims, a noticeable bump in its balance is visible. Additionally, one of the Ethereum addresses uncovered was found to be holding approximately 1,902 USD worth of funds.<\/span><span data-ccp-props=\"{&quot;335559738&quot;:240,&quot;335559739&quot;:240}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">In summary, the <strong>cryptocurrencies<\/strong> for which unique per-victim wallet addresses are generated<strong> include Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash.<\/strong><\/span><strong>\u00a0<\/strong><\/p>\n<figure id=\"attachment_232098\" aria-describedby=\"caption-attachment-232098\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232098\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png\" alt=\"Fig 13. Payload was crafted as attacker code \" width=\"1024\" height=\"455\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1024x455.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-300x133.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-768x342.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-1536x683.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM-205x91.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.28.41\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232098\" class=\"wp-caption-text\"><em>Fig 13. Payload was crafted as attacker code<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232113\" aria-describedby=\"caption-attachment-232113\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232113\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png\" alt=\"Fig 14.Getting replacement address code snippet taken from attacker code \" width=\"1024\" height=\"426\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1024x426.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-300x125.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-768x319.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-1536x638.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM-205x85.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.29.33\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232113\" class=\"wp-caption-text\"><em>Fig 14. Getting the replacement address code snippet taken from attacker code<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232128\" aria-describedby=\"caption-attachment-232128\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232128\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png\" alt=\"Fig 15. Attackers logic of decoding received data from c2 was also implemented \" width=\"1024\" height=\"353\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1024x353.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-300x103.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-768x265.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-1536x530.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM-205x71.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.30.24\u202fPM.png 1920w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232128\" class=\"wp-caption-text\">Fig 15. Attackers&#8217; logic of decoding received data from C2 was also implemented<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW94149359 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW94149359 BCX0\">Running<\/span><span class=\"NormalTextRun SCXW94149359 BCX0\">\u00a0script with few test Bitcoin Wallet addresses<\/span><\/span><span class=\"EOP Selected SCXW94149359 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_232143\" aria-describedby=\"caption-attachment-232143\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232143\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png\" alt=\"Fig 16. Every bitcoin address a unique bitcoin address was returned and All addresses are valid BTC wallet address \" width=\"1024\" height=\"977\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1024x977.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-300x286.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-768x733.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-1536x1466.png 1536w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-135x129.png 135w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-22-at-2.31.31\u202fPM.png 1670w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232143\" class=\"wp-caption-text\"><em>Fig 16. Every unique Bitcoin address was returned and all addresses are valid BTC wallet addresses<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232161\" aria-describedby=\"caption-attachment-232161\" style=\"width: 992px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232161\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png\" alt=\"Fig 17. Similarly, Ethereum saw unique addresses\" width=\"992\" height=\"966\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM.png 992w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-300x292.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-768x748.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-132x129.png 132w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-24x24.png 24w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.36.11\u202fPM-48x48.png 48w\" sizes=\"auto, (max-width: 992px) 100vw, 992px\" \/><figcaption id=\"caption-attachment-232161\" class=\"wp-caption-text\"><em>Fig 17. Similarly, Ethereum saw unique addresses<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232176\" aria-describedby=\"caption-attachment-232176\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232176\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png\" alt=\"Figure 18: Running Script for Test Solana Addresses \" width=\"1024\" height=\"766\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-1024x766.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-300x224.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-768x575.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM-172x129.png 172w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.38.00\u202fPM.png 1064w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232176\" class=\"wp-caption-text\">Figure 18: Running Script for Test Solana Addresses<\/figcaption><\/figure>\n<p><span class=\"TextRun SCXW7609193 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW7609193 BCX0\">Luckily for Solana we are getting only 1 address\u00a0<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\">when given multiple\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">addresses<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">. <\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW7609193 BCX0\">This<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\">\u00a0shows\u00a0<\/span><span class=\"NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW7609193 BCX0\">that the attacker has implemented this address mapping feature<\/span><span class=\"NormalTextRun SCXW7609193 BCX0\"> only on specific cryptocurrencies<\/span><\/span><span class=\"EOP Selected SCXW7609193 BCX0\" data-ccp-props=\"{&quot;335559685&quot;:720}\">\u00a0<\/span><\/p>\n<figure id=\"attachment_232191\" aria-describedby=\"caption-attachment-232191\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232191\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png\" alt=\"Fig. 19 Here you can see a bump in the balance amount\" width=\"1024\" height=\"401\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-1024x401.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-768x301.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM-205x80.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.39.10\u202fPM.png 1250w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232191\" class=\"wp-caption-text\"><em>Fig. 19 Here you can see a bump in the balance amount<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232206\" aria-describedby=\"caption-attachment-232206\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232206\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png\" alt=\"Fig 20. ETH address was found to be having 1902 USD \" width=\"1024\" height=\"580\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-1024x580.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-300x170.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-768x435.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM-205x116.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.40.56\u202fPM.png 1310w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232206\" class=\"wp-caption-text\"><em>Fig 20. The ETH address was found to have 1902 USD<\/em><\/figcaption><\/figure>\n<h3><span class=\"TextRun SCXW154641437 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">Technical\u00a0<\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">Analysis for\u00a0<\/span><span class=\"NormalTextRun SpellingErrorV2Themed SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">.net<\/span><span class=\"NormalTextRun SCXW154641437 BCX0\" data-ccp-parastyle=\"heading 3\">\u00a0file (Extension installer)<\/span><\/span><span class=\"EOP Selected SCXW154641437 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h3>\n<figure id=\"attachment_232222\" aria-describedby=\"caption-attachment-232222\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232222\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png\" alt=\"Fig. 21 BaseZipInstaller is a .NET installer which is unsigned \" width=\"1024\" height=\"817\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-1024x817.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-300x239.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-768x613.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM-162x129.png 162w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.42.26\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232222\" class=\"wp-caption-text\"><em>Fig. 21 BaseZipInstaller is a .NET installer which is unsigned<\/em><\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<figure id=\"attachment_232237\" aria-describedby=\"caption-attachment-232237\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232237\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png\" alt=\"Fig. 22 Stored Config as seen in Dnspy\" width=\"1024\" height=\"485\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-1024x485.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-300x142.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-768x364.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM-205x97.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.47.28\u202fPM.png 1274w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232237\" class=\"wp-caption-text\"><em>Fig. 22 Stored Config as seen in Dnspy<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The malware embeds a complete\u00a0configuration\u00a0JSON directly within the binary,\u00a0eliminating\u00a0the need to fetch initial setup data from external sources.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">This embedded configuration includes critical details such as API keys, backend server URL, targeted wallet extensions, and the full extension manifest with extensive permissions.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232252\" aria-describedby=\"caption-attachment-232252\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232252\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png\" alt=\"Fig 23: Main function from where execution starts \" width=\"1024\" height=\"404\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-1024x404.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-768x303.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.48.57\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232252\" class=\"wp-caption-text\"><em>Fig 23: Main function from where execution starts<\/em><\/figcaption><\/figure>\n<ul>\n<li><span class=\"TextRun SCXW122609328 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW122609328 BCX0\">The installer retrieves and\u00a0<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">validates<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0a remote ZIP archive<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0(google-services<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">cc\/base<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">[<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">.<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">]<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">zip)<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">, which serves as the primary payload for deploying the malicious browser extension, marking the transition from\u00a0<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">initial<\/span><span class=\"NormalTextRun SCXW122609328 BCX0\">\u00a0infection to browser-level compromise.<\/span><\/span><span class=\"EOP Selected SCXW122609328 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232267\" aria-describedby=\"caption-attachment-232267\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232267\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png\" alt=\"Fig. 24 The extension is created at the following location In system with files which are downloaded as base.zip.\" width=\"1024\" height=\"367\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-1024x367.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-300x107.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-768x275.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM-205x73.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.50.35\u202fPM.png 1284w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232267\" class=\"wp-caption-text\"><em>Fig. 24 The extension is created at the following location in the system with files that are downloaded as base.zip.<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232282\" aria-describedby=\"caption-attachment-232282\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232282\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png\" alt=\"Fig. 25: Dnspy showing the list of targeted browsers\" width=\"1024\" height=\"460\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-1024x460.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-300x135.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-768x345.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM-205x92.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.53.08\u202fPM.png 1268w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232282\" class=\"wp-caption-text\"><em>Fig. 25: Dnspy showing the list of targeted browsers<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The installer iterates through multiple Chromium-based browsers, including Chrome, Edge, Opera, and Brave,\u00a0identifying\u00a0available user profiles on the system.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">For each detected profile, the malware forcibly\u00a0terminates\u00a0the browser process to safely\u00a0modify\u00a0configuration files without interference.\u00a0<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It then injects the malicious extension by directly\u00a0modifying\u00a0Secure Preferences and Preferences, enabling the extension to be loaded without user interaction.<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/li>\n<\/ul>\n<div class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" class=\"wpa-warning wpa-image-missing-alt aligncenter wp-image-232298 size-large\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png\" alt=\"more code\" width=\"1024\" height=\"637\" data-warning=\"Missing alt text\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-1024x637.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-300x187.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-768x478.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM-205x127.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.54.05\u202fPM.png 1280w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/div>\n<ul>\n<li><span data-contrast=\"auto\">The malware\u00a0identifies\u00a0browser installation paths by querying standard system directories, enabling it to\u00a0locate\u00a0user data folders for Chrome, Edge, Opera, and Brave.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It systematically\u00a0enumerates\u00a0browser profiles and specifically looks for the presence of the Secure Preferences file, which stores critical browser configuration and extension data.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">By targeting profiles with Secure Preferences, the malware ensures it\u00a0modifies\u00a0only valid browser environments, increasing the reliability of extension injection.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232313\" aria-describedby=\"caption-attachment-232313\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232313\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png\" alt=\"We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files \" width=\"1024\" height=\"208\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-1024x208.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-300x61.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-768x156.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM-205x42.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.55.50\u202fPM.png 1140w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232313\" class=\"wp-caption-text\"><em>We can see writefile Event on Secure preferences file of chrome and MS Edge , when details of downloaded extension are written to those config files<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232328\" aria-describedby=\"caption-attachment-232328\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232328\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png\" alt=\"Fig 27 Attacker logic to resign the secure preference files\" width=\"1024\" height=\"403\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-1024x403.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-300x118.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-768x302.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM-205x81.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.56.45\u202fPM.png 1276w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232328\" class=\"wp-caption-text\"><em>Fig 27 Attacker logic to resign the secure preference files<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The malware reads and\u00a0modifies\u00a0the\u00a0browser\u2019s\u00a0Secure Preferences file, which controls installed extensions and their trust state.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It injects the malicious extension into the configuration and\u00a0attempts\u00a0to re-sign the modified data, making the changes appear legitimate to the browser\u2019s integrity checks.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">The updated configuration is then written back to disk, ensuring the extension is loaded automatically and persists across browser restarts.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232343\" aria-describedby=\"caption-attachment-232343\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232343\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png\" alt=\"Fig 27B :Extension path is added to chrome secure preferences file\" width=\"1024\" height=\"156\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-1024x156.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-300x46.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-768x117.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM-205x31.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.58.03\u202fPM.png 1158w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232343\" class=\"wp-caption-text\"><em>Fig 27B :Extension path is added to chrome secure preferences file<\/em><\/figcaption><\/figure>\n<figure id=\"attachment_232358\" aria-describedby=\"caption-attachment-232358\" style=\"width: 968px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-232358\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png\" alt=\"Fig 28: Logic to Manipulate defenses of Brave Bowser \" width=\"968\" height=\"560\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM.png 968w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-300x174.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-768x444.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-2.59.06\u202fPM-205x119.png 205w\" sizes=\"auto, (max-width: 968px) 100vw, 968px\" \/><figcaption id=\"caption-attachment-232358\" class=\"wp-caption-text\"><em>Fig 28: Logic to Manipulate defenses of Brave Bowser<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">For browsers such as Brave and Opera, the malware injects the malicious extension directly into the\u00a0browser\u2019s\u00a0configuration by adding entries under the\u00a0extensions.settings\u00a0(or\u00a0extensions.opsettings) section.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It also updates integrity-related fields (protection.macs) to make the injected extension appear trusted by the browser.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">Additionally, the malware\u00a0attempts\u00a0to enable developer mode programmatically, allowing unpacked extensions to run with fewer restrictions.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232373\" aria-describedby=\"caption-attachment-232373\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232373\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png\" alt=\"Fig 29: Attacker logic to get device ID used to further calculate integrity Values \" width=\"1024\" height=\"704\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-1024x704.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-300x206.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-768x528.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM-188x129.png 188w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.00.10\u202fPM.png 1272w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232373\" class=\"wp-caption-text\"><em>Fig 29: Attacker logic to get device ID used to further calculate integrity Values<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The malware\u00a0attempts\u00a0to recompute browser integrity signatures by generating new MAC (Message Authentication Code) values for the modified Secure Preferences file.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It uses system-specific identifiers, such as the machine SID, combined with a seed value to mimic Chrome\u2019s internal verification mechanism.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">By recalculating these integrity checks (macs and\u00a0super_mac), the malware tries to make its unauthorized modifications appear legitimate to the browser.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<figure id=\"attachment_232388\" aria-describedby=\"caption-attachment-232388\" style=\"width: 1024px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-232388\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png\" alt=\"Figure 30 Self Deletion Logic\" width=\"1024\" height=\"507\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-1024x507.png 1024w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-300x149.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-768x380.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM-205x102.png 205w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2026\/06\/Screenshot-2026-06-23-at-3.07.11\u202fPM.png 1252w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption id=\"caption-attachment-232388\" class=\"wp-caption-text\"><em>Figure 30 Self-Deletion Logic<\/em><\/figcaption><\/figure>\n<ul>\n<li><span data-contrast=\"auto\">The malware includes a self-deletion mechanism designed to remove the installer executable after successful execution.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<li><span data-contrast=\"auto\">It launches a hidden command prompt process that delays execution briefly before\u00a0deleting\u00a0the original file from\u00a0disk.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:6,&quot;335551620&quot;:6}\">\u00a0<\/span><\/li>\n<\/ul>\n<h2 aria-level=\"2\"><span data-contrast=\"none\">Conclusion<\/span><span data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335559738&quot;:160,&quot;335559739&quot;:80}\">\u00a0<\/span><\/h2>\n<p><span data-contrast=\"auto\">This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading. The operator has taken the oldest and simplest category of crypto malware \u2014 the clipper \u2014 and quietly upgraded three of its weakest links. Static attacker addresses have been replaced with\u00a0a server-side, per-victim mapping. Fragile, hardcoded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction. And a fragile dropper has been replaced with a Chromium extension that lives inside the user\u2019s most trusted application, loaded under the browser\u2019s own integrity signature.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\"><strong>McAfee will continue to track this campaign and related infrastructur<\/strong>e. Our customers are protected by existing detections and will benefit from telemetry-driven updates as new variants and rotated infrastructure are identified.<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559740&quot;:300}\">\u00a0<\/span><\/p>\n<h2><span class=\"TextRun MacChromeBold SCXW61108569 BCX0\" lang=\"EN-US\" xml:lang=\"EN-US\" data-contrast=\"none\"><span class=\"NormalTextRun SCXW61108569 BCX0\" data-ccp-parastyle=\"heading 1\">Indicators of Compromise<\/span><\/span><span class=\"EOP Selected SCXW61108569 BCX0\" data-ccp-props=\"{&quot;134245418&quot;:true,&quot;134245529&quot;:true,&quot;335551550&quot;:6,&quot;335551620&quot;:6,&quot;335559738&quot;:360,&quot;335559739&quot;:200}\"> (IOC)<\/span><\/h2>\n<table style=\"font-weight: 400;\" data-tablestyle=\"MsoNormalTable\" data-tablelook=\"1184\" aria-rowcount=\"8\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Type<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Category<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><b><span data-contrast=\"none\">Value<\/span><\/b><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">.NET Installer (BaseZipInstaller)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">SHA-256<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Golang-compiled Installer Variant<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"auto\">11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962\u2003\u2003<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"auto\">1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d\u2003\u2003<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">URL<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Payload distribution<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">hxxps:\/\/google-services[.]cc\/base[.]zip<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Domain<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Command-and-Control (resolved via smart contract)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">devops-offensive[.]cc<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Zebregts[.]com<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">BTC wallet<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Crypto wallet<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Artifact<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Sideload target<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles)<\/span><span data-ccp-props=\"{&quot;335559739&quot;:0}\">\u00a0<\/span><\/td>\n<\/tr>\n<tr aria-rowindex=\"8\">\n<td data-celllook=\"69905\"><span data-contrast=\"none\">Extension files<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">manifest.json<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">crypto-patterns.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">Interceptor.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">content-script.j<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">cache.js<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">domain-resolver.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">service-worker.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">api-client.js<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<td data-celllook=\"69905\"><span data-contrast=\"none\">ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5<\/span><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-contrast=\"none\">ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2<\/span> <span data-ccp-props=\"{}\">\u00a0<\/span><\/p>\n<p><span data-ccp-props=\"{}\">\u00a0<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>Authored by Neil Tyagi Executive Summary\u00a0 McAfee Advanced Threat Research has\u00a0identified\u00a0an active browser-extension campaign designed to steal cryptocurrency by silently&#8230;<\/p>\n","protected":false},"author":695,"featured_media":209097,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[10667,10661,1838,12,442],"tags":[],"coauthors":[4136,16933],"class_list":["post-231741","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-news","category-internet-security","category-mobile-security","category-family-safety","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2026-06-30T11:45:15+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-06-30T14:30:53+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs, Neil Tyagi\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs, Neil Tyagi\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"Silent Swap: A Crypto Clipper Extension Campaign\",\"datePublished\":\"2026-06-30T11:45:15+00:00\",\"dateModified\":\"2026-06-30T14:30:53+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\"},\"wordCount\":3565,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"articleSection\":[\"Security News\",\"Internet Security\",\"Mobile Security\",\"Family Safety\",\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\",\"name\":\"Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"datePublished\":\"2026-06-30T11:45:15+00:00\",\"dateModified\":\"2026-06-30T14:30:53+00:00\",\"description\":\"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg\",\"width\":600,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Silent Swap: A Crypto Clipper Extension Campaign\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog","description":"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog","og_description":"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2026-06-30T11:45:15+00:00","article_modified_time":"2026-06-30T14:30:53+00:00","og_image":[{"width":600,"height":400,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","type":"image\/jpeg"}],"author":"McAfee Labs, Neil Tyagi","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs, Neil Tyagi","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"Silent Swap: A Crypto Clipper Extension Campaign","datePublished":"2026-06-30T11:45:15+00:00","dateModified":"2026-06-30T14:30:53+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/"},"wordCount":3565,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","articleSection":["Security News","Internet Security","Mobile Security","Family Safety","McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/","name":"Silent Swap: A Crypto Clipper Extension Campaign | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","datePublished":"2026-06-30T11:45:15+00:00","dateModified":"2026-06-30T14:30:53+00:00","description":"Researchers uncover browser extension malware that steals cryptocurrency by swapping wallet addresses during transactions.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2025\/02\/Thumb.jpeg","width":600,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/crypto-clipper-wallet-swapping-browser-extension-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Silent Swap: A Crypto Clipper Extension Campaign"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/231741","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=231741"}],"version-history":[{"count":17,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/231741\/revisions"}],"predecessor-version":[{"id":232632,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/231741\/revisions\/232632"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/209097"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=231741"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=231741"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=231741"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=231741"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}