Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

The Hacker News by The Hacker News
July 2, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.

The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs.

“The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with The Hacker News.

The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.

The end goal of the extension is to act as a clipper that’s capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.

Because most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss. McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.

A McAfee Labs spokesperson told The Hacker News that the initial access mechanism involves victims running a malicious file that launches CountLoader, which then fetches and installs additional payloads, in this case, a rogue browser extension.

“Our research did not conclusively identify whether those initial installers are primarily distributed through phishing, malvertising, or another social engineering technique, so we can’t attribute the campaign to one specific distribution method,” the spokesperson added. “However, we do know attackers have commonly used phishing email attachments, game cracks, and similar social engineering tactics to trick victims into installing CountLoader.”

What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. This allows the attacker to trivially update a smart contract value to point to the new domain instead of having to redeploy the malware itself.

The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files. The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics.

“Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately.”

“This allows the extension to bypass the normal extension web store installation process and load silently without user approval.”

The campaign’s persistence and evasion posture has been characterized as deliberate and layered, with the primary focus being on maintaining low visibility to the end user and high resilience against takedown and static analysis. Persistence is established by registering the extension by altering the browser’s Secure Preferences file so that it’s loaded on subsequent browser launches without the need for a separate mechanism.

In addition, the malware attempts to enable developer mode programmatically in Brave and Opera, and the installer is self-deleted after execution, effectively removing an indicator of initial compromise. Another evasion technique is the use of dynamic wallet substitution, which is responsible for fetching a replacement address corresponding to a victim’s original address.

“It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address,” McAfee said. “If the backend request fails, the function falls back to a predefined hard-coded wallet address, ensuring uninterrupted malicious activity.”

For every wallet address matching patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, it’s mapped to a unique attacker-controlled address on the server-side. In contrast, all submitted Solana addresses resolve to a single attacker address. As of writing, the Solana address has been found to have a balance of $1,902.45.

“Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side. 

Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain.

“This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading,” McAfee said. “Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hard-coded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction.”

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers

The disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both carrying the name “VPN Go: Free VPN” on the Chrome Web Store and Firefox Add-ons marketplace.

“Both extensions present themselves as free VPN tools and include visible proxy functionality,” Socket researchers Kirill Boychenko and Kush Pandya said. “Under the hood, both also contain malicious clipboard theft logic that continuously monitors copied text and exfiltrates it to threat actor-controlled infrastructure.”

The behavior extends beyond wallet addresses, as it allows the operators to siphon all kinds of sensitive data, including passwords, authentication codes, API keys, OAuth tokens, and seed phrases.

Further examination of the extensions has revealed a staged malicious update pattern, where the extension developer initially published a benign version to the extension storefront before introducing the clipboard-stealing capability through a subsequent update.

While versions 1.1 and 1.2 of the Chrome extension have been found to exfiltrate clipboard data to “178.236.252[.]133,” version 1.3 switches the exfiltration channel to a different IP address (“77.91.123[.]187”). In the case of its Firefox equivalent, 1.3.3 is the first version to include the clipboard stealer and send the information to “178.236.252[.]133.” The 1.3.4 update moves the infrastructure to “77.91.123[.]187.”

Users who have installed either of the extensions are advised to remove them immediately and treat any secrets copied while the extension was active as compromised.

“The static code is enough to show that the extensions were designed to function as proxy tools, not merely display a fake VPN interface,” Socket said. “The proxy capability still increases risk because it can route browser traffic through threat actor-supplied infrastructure, expose plaintext HTTP traffic and connection metadata, and make the extension appear useful while the clipboard monitor runs in parallel.”

(The story was updated after publication on July 1, 2026, to include a response from McAfee Labs.)



Source link

The Hacker News

The Hacker News

Next Post
Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

Recommended.

UnionPay erweitert Akzeptanz in Europa und wird nun in über 90 % der europäischen Länder und Regionen akzeptiert

UnionPay erweitert Akzeptanz in Europa und wird nun in über 90 % der europäischen Länder und Regionen akzeptiert

September 27, 2025
Markets no longer view the December rate cut as a sure bet, with Fed officials casting doubts

Markets no longer view the December rate cut as a sure bet, with Fed officials casting doubts

November 13, 2025

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio