Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

In December 2024 a phishing-driven compromise of a Chrome extension allowed a malicious update to exfiltrate cookies and session data; researchers pivoted on a recurring Let's Encrypt TLS certificate to identify a cluster of ~19 servers (mostly on Vultr/The Constant Company), enumerate many domains/IPs used as C2 or infrastructure, and surface IoCs that indicate a long-running, financially motivated campaign possibly targeting Facebook advertising accounts, although definitive attribution is not established.