Cybersecurity researchers have uncovered a sophisticated campaign distributing a malicious Chromium-based browser extension that silently replaces cryptocurrency wallet addresses during transactions. Disguised as a lightweight “Google Notes” extension, the malware is designed to steal digital assets without alerting the victim.
The attack is delivered through unsigned installers written in both .NET and Golang. Instead of installing the extension through an official browser store, the malware directly modifies Chromium browser files to install the extension and maintain persistence.
How the Attack Works
Once executed, the installer searches for Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and other compatible browsers. It terminates running browser processes and modifies the Preferences and Secure Preferences files to register the malicious extension.

Researchers found that the malware recalculates browser integrity values, allowing the extension to bypass certain security checks on older Chromium versions. On newer versions, the attackers rely on social engineering or developer mode to enable the extension. After installation, the installer removes itself, leaving very few traces on the infected system.
Unlike traditional malware that connects to a hardcoded command-and-control server, the extension uses an EtherHiding technique. It queries a public blockchain RPC endpoint and retrieves an encoded value from a smart contract, which is decoded at runtime to obtain the active backend server. This approach allows attackers to change their infrastructure without updating the malware itself, making detection and takedown more difficult.
Wallet Address Replacement and Detection
The extension requests broad permissions, including access to websites, browsing history, and clipboard data. It continuously monitors copy-and-paste activity and uses cryptocurrency-specific patterns to identify wallet addresses for multiple blockchains, including:
- Bitcoin (BTC)
- Ethereum (ETH)
- Bitcoin Cash (BCH)
- Ripple (XRP)
- Dash (DASH)
- Solana (SOL)
When a wallet address is copied, the extension sends it to the attacker’s backend using an embedded API key. The server responds with an attacker-controlled wallet address, which immediately replaces the original address in the clipboard. If the victim pastes the address without verifying it, the cryptocurrency is transferred directly to the attacker’s wallet.
Researchers also found that the installer contains embedded configuration data, including API keys, extension settings, supported wallet types, and blockchain RPC endpoints. The malicious extension is downloaded separately during installation, allowing attackers to update components without modifying the installer.
The campaign has affected users across multiple regions, with researchers observing a notable concentration of infections in India, suggesting opportunistic targeting of cryptocurrency users rather than a region-specific operation.
To reduce the risk of compromise, users should install browser extensions only from official stores, avoid running unsigned installers, carefully review requested permissions, and always verify the first and last few characters of a cryptocurrency wallet address before completing a transaction.
Security teams should also monitor for unauthorized changes to Chromium Secure Preferences files, unexpected browser configuration modifications, and unusual blockchain RPC traffic associated with EtherHiding infrastructure.
IOCs
| Type | Category | Value |
| SHA-256 | .NET Installer (BaseZipInstaller) | 2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf 053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 |
| SHA-256 | Golang-compiled Installer Variant | 11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962 1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d |
| URL | Payload distribution | hxxps://google-services[.]cc/base[.]zip |
| Domain | Command-and-Control (resolved via smart contract) | devops-offensive[.]cc Zebregts[.]com |
| BTC wallet | Crypto wallet | 3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX |
| Artifact | Sideload target | Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) |
| Extension files | manifest.json crypto-patterns.js Interceptor.js content-script.j cache.js domain-resolver.js service-worker.js api-client.js | ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b 6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5 a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01 eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c 6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8 2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3 ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2 |