Friday, May 9, 2025
HomeBrowserRilide Malware Poses as Browser Extension to Steal Login Credentials from Chrome...

Rilide Malware Poses as Browser Extension to Steal Login Credentials from Chrome and Edge Users

Published on

SIEM as a Service

Follow Us on Google News

Rilide, a sophisticated malware, has been masquerading as a legitimate browser extension to steal sensitive information from users of Chromium-based browsers like Google Chrome and Microsoft Edge.

First identified in April 2023, this malware is designed to capture screenshots, log passwords, and collect credentials for cryptocurrency wallets.

It often disguises itself as a Google Drive utility, aiming to deceive users into installing it by promising to save content to Google Drive.

- Advertisement - Google News

Delivery Mechanisms and Intrusion Chain

Rilide is primarily delivered through phishing websites and malicious advertisements.

Recent campaigns have utilized diverse tactics, including PowerPoint lures, Twitter redirects, and Google Ads, to lead users to phishing sites that download the malware.

In some cases, a PowerShell loader is used to install the extension, though the method of delivering this loader to users remains unclear.

Rilide Malware
The decoded PowerShell script pulled from tcl-black[.]com

The malware has adapted to comply with Chrome Extension Manifest V3, ensuring all its logic is contained within the extension package itself.

Once installed, Rilide injects scripts into web pages to collect credentials and cryptocurrency information.

It accesses clipboard data and system information and interacts with web storage.

The extension uses a service worker named ToggleTest.js to execute commands and take screenshots.

It also employs files like OpenRemove.js and AlertReceive.js to collect data from web pages and interact with the clipboard.

Communication and Exfiltration

Rilide communicates with its Command and Control (C2) server by querying blockchain services to resolve the server’s address.

Rilide Malware
Campaigns leading to Rilide

According to the Report, this address is encoded in a Bitcoin address and is used to exfiltrate system information and other stolen data back to the C2 server via POST requests.

The malware can modify network requests and remove content security policies to facilitate its operations.

To protect against Rilide, users should avoid installing extensions from untrusted sources and regularly review installed extensions for unnecessary permissions.

Enabling PowerShell logging and restricting its usage can also help mitigate the threat.

Additionally, users should be cautious of phishing attempts and ensure their browsers are updated with the latest security patches.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...

Apache ActiveMQ Vulnerability Allows Attackers to Induce DoS Condition

Critical vulnerability in Apache ActiveMQ (CVE-2024-XXXX) exposes brokers to denial-of-service (DoS) attacks by allowing...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Exploit Host Header Injection to Breach Web Applications

Cybersecurity researchers have reported a significant rise in web breaches triggered by a lesser-known...

Hackers Exploit Windows Remote Management to Evade Detection in AD Networks

A new wave of cyberattacks is targeting Active Directory (AD) environments by abusing Windows...

Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed...