Monday, May 19, 2025
HomeMalwareGoogle Chrome Extension that Steals all Data Posted by Users on any...

Google Chrome Extension that Steals all Data Posted by Users on any Websites

Published on

SIEM as a Service

Follow Us on Google News

Chrome Extensions continue to get compromised, security officer Renato Marinho from Morphus Labs identified a malicious Chrome extension that captures data posted by users online on any website.

They noticed a phishing campaign titled “Follow the photos from the weekend (via WhatsApp)” which infects users by opening an email with alleged photos.

How it affects Victims Via Chrome Extensions

When users open the phishing Email that contains alleged photos, a malicious EXE file named whatsapp.exe will be executed.

Once the malicious file executed it installs victim’s malicious extension into Google Chrome.In order to Disguise it shows a fake Adobe PDF Reader installation while downloading it’s required components.
- Advertisement - Google News

Malware files have a size far beyond the ordinary and far beyond what is usually inspected for anti-virus solutions.Says Renato.

Also Read Seven More Extensions compromised to hijack traffic and substitute advertisements on users browsers

Data Theft

Once the extension installed it will monitor all the data that user posted on the website and sent to attackers, it includes login credentials, credit card details and other sensitive data.

The attacker was not required, for example, to lure the victim to a fake website with typical digital certificate errors or to intercept connections in complex ways. On the contrary, the user will be interacting normally with the legitimate website while their data is stolen. Says Renato.

Here the attacker not diverting victims to fake sites, instead the data is captured while establishing the connection with the legitimate site.

Indicators of Compromise (IOCs)

Files

MD5 (md0) = 72c35311136adaaf2c31d54b7d2c462e
MD5 (md1) = bbca1ced8eea1a63e4e05a7f7e368b69
MD5 (whatsapp.exe) = 713fed252238d2cbd48a18b3faa67a8e

Extension Files

MD5 (btwjvx.js) = 229495556791239ecf88e883124284b7
MD5 (ico.png) = 42ab831ae1520621f4117d3639b1131d
MD5 (java_128.ico) = a5c5f16f314bb022edcdb084850f0d63
MD5 (java_32.ico) = d7a6c3c105a0ab5dc39bdf5005f044b4
MD5 (java_64.ico) = 748e901736d11413f8856f9db82e7328
MD5 (manifest.json) = 214859fb1903fefb8c0142273953b4dc
MD5 (unjjmwv.js) = 5ca7582261c421482436dfdf3af9bffe

Network

hxxps://storage.googleapis.com/webfotosb/Whatsapp.html
hxxp://177.11.55.90/md18102136.cab
hxxps://agenziapetra.com:1515/

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

GNU C(glibc) Vulnerability Let Attackers Execute Arbitrary Code on Millions of Linux Systems

Security researchers have disclosed a significant vulnerability in the GNU C Library (glibc), potentially...

Exploiting dMSA for Advanced Active Directory Persistence

Security researchers have identified new methods for achieving persistence in Active Directory environments by...

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Printer Company Distributes Malicious Drivers Infected with XRed Malware

Procolored, a printer manufacturing company, has been found distributing software drivers infected with malicious...

Frigidstealer Malware Targets macOS Users to Harvest Login Credentials

An macOS users, a new information-stealing malware dubbed FrigidStealer has emerged as a formidable...

SSH Auth Key Reuse Uncovers Advanced Targeted Phishing Campaign

A meticulously orchestrated phishing campaign targeting Kuwait's fisheries, telecommunications, and insurance sectors has been...