Malicious Google Notes Extension Swaps Crypto Wallet Addresses During Transactions
ID: ab5438f0-6bec-5064-94c4-9213e8dc2be9
STIX ID: report--ab5438f0-6bec-5064-94c4-9213e8dc2be9
Feed Name: GBHackers
McAfee documents a sophisticated, active campaign that installs a malicious Chromium extension (CryptoStealer.NE / “Google Notes”) by directly modifying browser Secure Preferences to sideload the extension and recalculating integrity fields; the extension monitors clipboard copy/paste to detect crypto addresses and replaces them with attacker-controlled ones. The malware resolves backend infrastructure dynamically via a smart-contract call to public blockchain RPC endpoints, complicating takedown and detection; the report includes technical IOCs (installer and extension hashes, malicious URL, domains, and wallet addresses), telemetry, and mitigation guidance.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
