← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure
WHITE AlienVault 2025-01-10 Modified: 2025-01-10
66
IOCs
HIGH VOLUME
A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.
chrome extensionphishingcertificate rotationdomain spoofing
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (66)
All FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 714936fff8b5a1fdfb793470a8b8bc0096dd1ffcf4ec2154826196b043f5ef69 2025-01-10
domain adskiper.net 2025-01-10
domain aiforgemini.com 2025-01-10
domain auth-wisp-systems.com 2025-01-10
domain bardaiforchrome.live 2025-01-10
domain blockadsonyt.vip 2025-01-10
domain blockforads.com 2025-01-10
domain chatgptextent.pro 2025-01-10
domain chatgptforsearch.com 2025-01-10
domain checkpolicy.site 2025-01-10
domain cyberhavenext.pro 2025-01-10
domain dearflip.pro 2025-01-10
domain extensionbuysell.com 2025-01-10
domain extensionpolicyprivacy.com 2025-01-10
domain fadblock.pro 2025-01-10
domain geminiaigg.pro 2025-01-10
domain geminiforads.com 2025-01-10
domain goodenhancerblocker.site 2025-01-10
domain gpt4summary.ink 2025-01-10
domain gptdetector.live 2025-01-10
domain hb333.online 2025-01-10
domain internetdownloadmanager.pro 2025-01-10
domain linewizeconnect.com 2025-01-10
domain locallyext.ink 2025-01-10
domain moonsif.store 2025-01-10
domain okta-onslove.com 2025-01-10
domain pieadblock.pro 2025-01-10
domain plutonile.com 2025-01-10
domain policyextension.info 2025-01-10
domain proxyswitchyomega.pro 2025-01-10
domain savechatgpt.site 2025-01-10
domain savegptforchrome.com 2025-01-10
domain savegptforyou.live 2025-01-10
domain savgptforchrome.pro 2025-01-10
domain searchaiassitant.info 2025-01-10
domain searchcopilot.co 2025-01-10
domain searchgptchat.info 2025-01-10
domain tinamind.info 2025-01-10
domain ultrablock.pro 2025-01-10
domain vidnozflex.live 2025-01-10
domain wakelet.ink 2025-01-10
domain wildwestgaming.net 2025-01-10
domain youtubeadsblocker.live 2025-01-10
domain ytadblocker.com 2025-01-10
domain zhgift.com 2025-01-10
hostname admin.tkv2.pro 2025-01-10
hostname admin.www333.online 2025-01-10
hostname api.bonuspg77.online 2025-01-10
hostname api.cyberhaven.pro 2025-01-10
hostname bo.jackblack.io 2025-01-10
hostname chatgpt.forassistant.com 2025-01-10
hostname check.aethir.us 2025-01-10
hostname demo-3.wildwestgaming.net 2025-01-10
hostname dev.jackblack.io 2025-01-10
hostname ext.bardaiforchrome.live 2025-01-10
hostname google.forbarai.com 2025-01-10
hostname p50.oldrosethisrosesaidthedoctorwasgiventomefiftyfiveyearsagobysyl.shop 2025-01-10
hostname search.forbarai.com 2025-01-10
hostname stagingx.plutonile.com 2025-01-10
hostname vafera.rubrically.eu 2025-01-10
hostname wareinnovator.merseine.com 2025-01-10
hostname www.bonuspg77.online 2025-01-10
hostname www.checker.aethir.us 2025-01-10
hostname www.remiwantnun.com 2025-01-10
hostname www.www333.online 2025-01-10
hostname yeowauto.skygst.net 2025-01-10
References (1)
↗ https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure