Silent Swap: A Crypto Clipper Extension Campaign

    Date: 07/01/2026

    Severity: Medium

    Summary

    A malicious campaign is distributing a fake Google Notes browser extension that silently steals cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions. The malware abuses Chromium browser trust mechanisms to install the extension without user approval and uses EtherHiding to retrieve its command-and-control infrastructure from the blockchain, making detection and takedown more difficult. Linked to the CountLoader threat actor, the campaign primarily targets cryptocurrency users, with a significant concentration of victims in India.

    Indicators of Compromise (IOC) List

    Domains/URLs

    devops-offensive.cc 

    Zebregts.com

    https://google-services.cc/base.zip

    Hash

    2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf

    053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0

    11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962

    1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d

    ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c

    daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b

    6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5

    a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01

    eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c

    6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8

    2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3

    ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2

    BTC wallet

    3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 

    1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 

    3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 

    1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "devops-offensive.cc" or url like "devops-offensive.cc" or siteurl like "devops-offensive.cc" or domainname like "Zebregts.com" or url like "Zebregts.com" or siteurl like "Zebregts.com" or domainname like "https://google-services.cc/base.zip" or url like "https://google-services.cc/base.zip" or siteurl like "https://google-services.cc/base.zip"

    Detection Query 2 :

    sha256hash IN ("053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0","11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962","a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01","ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c","ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2","1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d","daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b","2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3","2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf","6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8","eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c","6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5")

    Reference:    

    https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-clipper-wallet-swapping-browser-extension-malware/           


    Tags

    MalwareStealercryptocurrencyEtherHidingBlockchainIndia

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags