Symantec Threat Hunter Team has observed a concerning surge in attempts to deploy a malicious extension targeting Chromium-based web browsers, including Google Chrome, Microsoft Edge, Brave, and Opera.

This malicious browser extension poses a significant threat, capable of harvesting clipboard data, browser history, Google Pay and Facebook balance information, capturing screenshots, and even launching web pages.

Its reported functionality extends to cryptocurrency theft and other sensitive data, with the potential for further updates, heightening its danger.

Initial research suggested various malware loaders as delivery mechanisms for this extension. However, Symantec’s investigations reveal a distinct infection chain starting with download links hosted on platforms like

Google Drive or MediaFire.

The download link leads to a ZIP file named “x64_x32_installer.zip,” containing an MSI installer. Within this installer lies a blend of legitimate and malicious components. The malicious DLL, sideloaded via the legitimate

file, facilitates the installation of the harmful browser extension.

For more detailed information about this threat, please see the PDF below