Date: 07/01/2026
Severity: Medium
Summary
A malicious campaign is distributing a fake Google Notes browser extension that silently steals cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions. The malware abuses Chromium browser trust mechanisms to install the extension without user approval and uses EtherHiding to retrieve its command-and-control infrastructure from the blockchain, making detection and takedown more difficult. Linked to the CountLoader threat actor, the campaign primarily targets cryptocurrency users, with a significant concentration of victims in India.
Indicators of Compromise (IOC) List
Domains/URLs | devops-offensive.cc Zebregts.com https://google-services.cc/base.zip |
Hash | 2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf
053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0
11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962
1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d
ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c
daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b
6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5
a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01
eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c
6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8
2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3
ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2
|
BTC wallet | 3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "devops-offensive.cc" or url like "devops-offensive.cc" or siteurl like "devops-offensive.cc" or domainname like "Zebregts.com" or url like "Zebregts.com" or siteurl like "Zebregts.com" or domainname like "https://google-services.cc/base.zip" or url like "https://google-services.cc/base.zip" or siteurl like "https://google-services.cc/base.zip" |
Detection Query 2 : | sha256hash IN ("053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0","11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962","a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01","ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c","ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2","1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d","daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b","2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3","2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf","6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8","eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c","6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5")
|
Reference:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-clipper-wallet-swapping-browser-extension-malware/