Malicious Chromium Extension Undermines Cryptocurrency Transactions
In recent cybersecurity news, a highly sophisticated campaign has emerged that delivers a malicious Chromium extension, designed to stealthily alter cryptocurrency wallet addresses during transactions. This alarming technique puts users at significant financial risk, as it can lead to irreversible losses without their knowledge.
The campaign is executed through unsigned installers that have been detected in both .NET and Golang variants. The malicious payload cleverly masquerades as a minimalist "Google Notes" browser extension, misleading users into believing they are installing a useful productivity tool.
Once deployed, the extension operates as a clipboard-aware crypto clipper, which means it actively monitors the clipboard for copy-and-paste activities. It recognizes wallet addresses across various blockchain networks and replaces the actual addresses with those controlled by the attacker right before the user pastes it. This underhanded tactic makes it exceedingly difficult for victims to realize they have been targeted until it is too late.
To successfully deploy this extension, the installers exploit vulnerabilities associated with the trust layer of Chromium. Instead of seeking approval from official extension stores, the installer scours user profiles across popular browsers like Chrome, Edge, and Brave. It forcefully terminates active browser processes and directly modifies essential files, such as the Secure Preferences and Preferences files, to register the fraudulent extension.
To bypass various integrity checks, the malware recalculates and writes back verification fields (super_mac/mac) derived from system-specific identifiers, such as the machine SID, combined with a seed value. This technical maneuver allows the extension to load silently on older Chromium builds. In cases where the browsers are updated, the attackers rely on social engineering tactics or programmatic methods to enable developer or unpacked-extension modes, ensuring persistence. Once the installation is complete, the installer self-deletes, leaving behind minimal traces on the user’s system.
An additional facet of this campaign involves the extension’s utilization of blockchain-resolved command-and-control (C2) mechanisms. Instead of hardcoding a domain for attacker communications, the extension queries a public blockchain RPC endpoint and invokes a read-only smart contract method. This approach offers an added layer of obfuscation, as the contract returns an encoded string that the extension decodes in real-time to disclose the active backend domain. Observed domains include devops-offensive.cc and Zebregts.com.
The threats posed by this extension, often referred to as the “EtherHiding” approach, facilitate a continuously rotating infrastructure that remains elusive and complex to detect. By updating an on-chain value, the malware avoids leaving static C2 indicators, complicating efforts for network detection and takedown.
The extension is granted excessive permissions, providing unfettered access to all URLs, browsing history, and clipboard functionality. Its malicious logic is cleverly divided between content scripts and background service workers. The content scripts are responsible for monitoring copy events, applying regular expressions specific to cryptocurrency addresses to detect targets for Bitcoin, Ethereum, Bitcoin Cash, Dash, and other prominent cryptocurrencies.
When a match occurs, the intercepted address is sent to a backend server authenticated with an embedded API key, which then returns a replacement address that replaces the original one on the clipboard. McAfee’s reconstructed backend has revealed a deterministic one-to-one mapping for various cryptocurrencies, while submissions related to Solana collapse to a single static drop address, highlighting a strategic implementation choice evident in chain balances.
Operational data indicates a widespread, globally distributed presence, with a notable concentration in India. This observation suggests that the campaign is targeting crypto users opportunistically, rather than focusing on a narrow geographic area.
To mitigate such risks, cybersecurity experts recommend several layered controls. Consumers should install browser extensions only from verified sources, scrutinize permissions for applications that don’t require extensive access, and cross-verify wallet addresses with a separate device before initiating transactions. Furthermore, running unsigned installers from untrusted sources poses significant risks that should be avoided.
Organizations can enhance their defenses by implementing endpoint and network protection systems that flag malicious download behaviors and block known C2 domains. Current threat detection strategies by McAfee, which label this threat as CryptoStealer.NE, aim to block the installation process and prevent any further connection attempts to compromised infrastructure.
For additional protection against these complex threats, defenders are advised to monitor any tampering with Chromium Secure Preferences files, scrutinize unusual recreation of browser MAC values, and maintain vigilance regarding anomalous RPC calls that resolve obscure contract values linked to EtherHiding-style C2 resolution.
As this ongoing campaign illustrates, vigilance and proactive measures are essential in safeguarding against the evolving landscape of cyber threats targeting cryptocurrency users.

