Close Menu
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

July 6, 2026

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

July 6, 2026

Indirect Prompt Injection in Web Content Targets AI Agents

July 6, 2026
Facebook X (Twitter) Instagram
Monday, July 6
Facebook X (Twitter) Instagram Pinterest Vimeo
Cyberwire Daily
  • Home
  • News
  • Cyber Security
  • Internet of Things
  • Tips and Advice
Cyberwire Daily
Home»News»Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses
News

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

Team-CWDBy Team-CWDJuly 6, 2026No Comments6 Mins Read
Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
Share
Facebook Twitter LinkedIn Pinterest Email


Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction.

The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs.

“The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility,” the cybersecurity company said in a technical report shared with The Hacker News.

The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension by scanning the system for Chromium-based browsers. For each detected profile in those browsers, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files.

The end goal of the extension is to act as a clipper that’s capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet. To realize its goals, the bogus Google Notes extension requests users to grant it permissions to access the clipboard, all URLs, and the browsing history.

Because most transactions on the blockchain are irreversible, an address swap can result in permanent financial loss. McAfee Labs said the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters.

A McAfee Labs spokesperson told The Hacker News that the initial access mechanism involves victims running a malicious file that launches CountLoader, which then fetches and installs additional payloads, in this case, a rogue browser extension.

“Our research did not conclusively identify whether those initial installers are primarily distributed through phishing, malvertising, or another social engineering technique, so we can’t attribute the campaign to one specific distribution method,” the spokesperson added. “However, we do know attackers have commonly used phishing email attachments, game cracks, and similar social engineering tactics to trick victims into installing CountLoader.”

What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details. This allows the attacker to trivially update a smart contract value to point to the new domain instead of having to redeploy the malware itself.

The second aspect revolves around the covert installation of the browser extension on Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, and Vivaldi by modifying protected browser settings files. The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics.

“Normally, these browsers store security verification data (hash/HMAC values) alongside sensitive settings to detect unauthorized changes,” McAfee said. “The malware recalculates and updates these security values after tampering with the files, tricking the browser into believing the malicious extension was installed legitimately.”

“This allows the extension to bypass the normal extension web store installation process and load silently without user approval.”

The campaign’s persistence and evasion posture has been characterized as deliberate and layered, with the primary focus being on maintaining low visibility to the end user and high resilience against takedown and static analysis. Persistence is established by registering the extension by altering the browser’s Secure Preferences file so that it’s loaded on subsequent browser launches without the need for a separate mechanism.

In addition, the malware attempts to enable developer mode programmatically in Brave and Opera, and the installer is self-deleted after execution, effectively removing an indicator of initial compromise. Another evasion technique is the use of dynamic wallet substitution, which is responsible for fetching a replacement address corresponding to a victim’s original address.

“It sends the intercepted wallet address to the attacker backend and uses the response to dynamically substitute the original address,” McAfee said. “If the backend request fails, the function falls back to a predefined hard-coded wallet address, ensuring uninterrupted malicious activity.”

For every wallet address matching patterns associated with Bitcoin (BTC), Ethereum, Bitcoin Cash, Ripple, and Dash, it’s mapped to a unique attacker-controlled address on the server-side. In contrast, all submitted Solana addresses resolve to a single attacker address. As of writing, the Solana address has been found to have a balance of $1,902.45.

“Each submitted address is mapped to a unique attacker-controlled address. Re-submitting the same original returns the same replacement, indicating a deterministic one-to-one mapping maintained server-side. 

Telemetry data suggests that infections are globally distributed, with a higher concentration of victims reported in India. Other countries impacted by the campaign include the U.S., Brazil, Indonesia, and Spain.

“This campaign is a concise illustration of where consumer-targeted cryptocurrency theft is heading,” McAfee said. “Static attacker addresses have been replaced with a server-side, per-victim mapping. Fragile, hard-coded command-and-control domains have been replaced with a blockchain-resolved lookup that an operator can rotate with a single transaction.”

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers

The disclosure comes as Socket reported on a pair of malicious Chrome and Mozilla Firefox browser extensions, both carrying the name “VPN Go: Free VPN” on the Chrome Web Store and Firefox Add-ons marketplace.

“Both extensions present themselves as free VPN tools and include visible proxy functionality,” Socket researchers Kirill Boychenko and Kush Pandya said. “Under the hood, both also contain malicious clipboard theft logic that continuously monitors copied text and exfiltrates it to threat actor-controlled infrastructure.”

The behavior extends beyond wallet addresses, as it allows the operators to siphon all kinds of sensitive data, including passwords, authentication codes, API keys, OAuth tokens, and seed phrases.

Further examination of the extensions has revealed a staged malicious update pattern, where the extension developer initially published a benign version to the extension storefront before introducing the clipboard-stealing capability through a subsequent update.

While versions 1.1 and 1.2 of the Chrome extension have been found to exfiltrate clipboard data to “178.236.252[.]133,” version 1.3 switches the exfiltration channel to a different IP address (“77.91.123[.]187”). In the case of its Firefox equivalent, 1.3.3 is the first version to include the clipboard stealer and send the information to “178.236.252[.]133.” The 1.3.4 update moves the infrastructure to “77.91.123[.]187.”

Users who have installed either of the extensions are advised to remove them immediately and treat any secrets copied while the extension was active as compromised.

“The static code is enough to show that the extensions were designed to function as proxy tools, not merely display a fake VPN interface,” Socket said. “The proxy capability still increases risk because it can route browser traffic through threat actor-supplied infrastructure, expose plaintext HTTP traffic and connection metadata, and make the extension appear useful while the clipboard monitor runs in parallel.”

(The story was updated after publication on July 1, 2026, to include a response from McAfee Labs.)



Source

Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
Previous ArticleIndirect Prompt Injection in Web Content Targets AI Agents
Next Article New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors
Team-CWD
  • Website

Related Posts

News

New Iran-Nexus Hacking Group Targets Israel Government and IT Sectors

July 6, 2026
News

Researchers Claim First Fully Agentic Ransomware: JadePuffer

July 6, 2026
News

GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks

July 6, 2026
Add A Comment
Leave A Reply Cancel Reply

Latest News

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views

Why SOC Burnout Can Be Avoided: Practical Steps

November 14, 20259 Views

Cyber M&A Roundup: Cyber Giants Strengthen AI Security Offerings

December 1, 20258 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Most Popular

North Korean Hackers Turn JSON Services into Covert Malware Delivery Channels

November 24, 202522 Views

macOS Stealer Campaign Uses “Cracked” App Lures to Bypass Apple Securi

September 7, 202517 Views

North Korean Hackers Target Crypto Firms with ClickFix and Zoom Lures

April 29, 202610 Views
Our Picks

Why LinkedIn is a hunting ground for threat actors – and how to protect yourself

January 16, 2026

How it preys on personal data – and how to stay safe

October 23, 2025

How to tell if a voice call is AI or not

February 23, 2026

Subscribe to Updates

Get the latest news from cyberwiredaily.com

Facebook X (Twitter) Instagram Pinterest
  • Home
  • Contact
  • Privacy Policy
  • Terms of Use
  • California Consumer Privacy Act (CCPA)
© 2026 All rights reserved.

Type above and press Enter to search. Press Esc to cancel.