Genesis Market - Malicious Browser Extension

Cybereason GSOC analyzed a LummaStealer campaign that installs a malicious Genesis Market browser extension via a multi-stage installer (ZIP -> MSI -> DLL -> obfuscated PowerShell). The extension targets Chrome, Edge, Brave and Opera to collect cookies, clipboard, payment and crypto data, screenshots, emails (including 2FA codes), installed extensions and filesystem artifacts, communicates with attacker C2s (resolved via blockchain transactions and WebSocket reverse proxies), and provides persistence and remote control; the report includes IoCs, MITRE mappings and containment/remediation guidance.