Bitcoin Forum
July 01, 2026, 01:35:35 PM *
News: Latest Bitcoin Core release: 31.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Silent Swap Crypto Clipper Uses Fake Google Notes, and Extension to Steal Crypto  (Read 22 times)
Myleschetty (OP)
Full Member
***
Offline

Activity: 1515
Merit: 116



View Profile
June 30, 2026, 05:10:57 PM
 #1



McAfee Advanced Threat Research has flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.

The cryptocurrency clipper activity has been called Silent Swap due to how the installers will deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility, the cybersecurity company said in a technical report.

The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.

The end goal of the extension is to act as a clipper that's capable of intercepting and manipulating wallet addresses copied into the computer system clipboard with the goal of rerouting the funds to an attacker controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.

The second strategy used by the attacker revolves around the covert installation browser extension on Chromium based browsers like Google Chrome, Firefox, Microsoft Edge, Brave, and Vivaldi. The app was said to have Clipboard Stealers


   
This disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both was said to have the name "VPN Go: Free VPN" on the Chrome Web Store and Firefox Add-ons marketplace as we speak.
Both extensions present themselves as free VPN tools with visible proxy service,but Socket researchers Kirill Boychenko and Kush Pandya said under the hood, they both contain malicious clipboard theft logic that will continuously monitors, copied text and exfiltrates it to threat actor usage.

Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!