Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.
The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs.
“The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with The Hacker News.
The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.
The end goal of the extension is to act as a clipper that’s capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.
Because most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss. McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.
What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. This allows the attacker to trivially update a smart contract value to point to the new domain instead of having to redeploy the malware itself.
The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files. The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics.
“Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately.”
“This allows the extension to bypass the normal extension web store installation process and load silently without user approval.”
The campaign’s persistence and evasion posture has been characterized as deliberate and layered, with the primary focus being on maintaining low visibility to the end user and high resilience against takedown and static analysis. Persistence is established by registering the extension by altering the browser’s Secure Preferences file so that it’s loaded on subsequent browser launches without the need for a separate mechanism.
In addition, the malware attempts to enable developer mode programmatically in Brave and Opera, and the installer is self-deleted after execution, effectively removing an indicator of initial compromise. Another evasion technique is the use of dynamic wallet substitution, which is responsible for fetching a replacement address corresponding to a victim’s original address.
“It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address,” McAfee said. “If the backend request fails, the function falls back to a predefined hard-coded wallet address, ensuring uninterrupted malicious activity.”
For every wallet address matching patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, it’s mapped to a unique attacker-controlled address on the server-side. In contrast, all submitted Solana addresses resolve to a single attacker address. As of writing, the Solana address has been found to have a balance of $1,902.45.
“Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side.
Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain.
“This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading,” McAfee said. “Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hard-coded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction.”
Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers
The disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both carrying the name “VPN Go: Free VPN” on the Chrome Web Store and Firefox Add-ons marketplace.
“Both extensions present themselves as free VPN tools and include visible proxy functionality,” Socket researchers Kirill Boychenko and Kush Pandya said. “Under the hood, both also contain malicious clipboard theft logic that continuously monitors copied text and exfiltrates it to threat actor-controlled infrastructure.”
The behavior extends beyond wallet addresses, as it allows the operators to siphon all kinds of sensitive data, including passwords, authentication codes, API keys, OAuth tokens, and seed phrases.
Further examination of the extensions has revealed a staged malicious update pattern, where the extension developer initially published a benign version to the extension storefront before introducing the clipboard-stealing capability through a subsequent update.
While versions 1.1 and 1.2 of the Chrome extension have been found to exfiltrate clipboard data to “178.236.252[.]133,” version 1.3 switches the exfiltration channel to a different IP address (“77.91.123[.]187”). In the case of its Firefox equivalent, 1.3.3 is the first version to include the clipboard stealer and send the information to “178.236.252[.]133.” The 1.3.4 update moves the infrastructure to “77.91.123[.]187.”
Users who have installed either of the extensions are advised to remove them immediately and treat any secrets while the extension was active as compromised.
“The static code is enough to show that the extensions were designed to function as proxy tools, not merely display a fake VPN interface,” Socket said. “The proxy capability still increases risk because it can route browser traffic through threat actor-supplied infrastructure, expose plaintext HTTP traffic and connection metadata, and make the extension appear useful while the clipboard monitor runs in parallel.”
