SharpTongue Deploys Clever Mail-Stealing Browser Extension “SHARPEXT”

Volexity documents SharpTongue (Kimsuky) deploying a malicious Chromium-based browser extension called SHARPEXT to exfiltrate email and attachments from victims' Gmail and AOL webmail sessions. The attacker manually harvests and replaces users' Secure Preferences to install the extension, uses PowerShell to enable and hide DevTools, and loads most logic from a C2 to avoid detection; Volexity observed multiple incidents with thousands of emails stolen and provides IOCs, YARA rules, and mitigation guidance.