Pulse Detail — Threat Intelligence

PULSE NAME

Targeted supply chain attack against Chrome browser extensions

WHITE AlienVault 2025-01-22 Modified: 2025-02-21

IOCs

HIGH VOLUME

In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1539 T1589 T1550 T1566 T1036 T1041 T1587 T1586 T1059 T1105 T1528 T1071 T1583

Indicators of Compromise (66)

All FileHash-MD5 FileHash-SHA256 URL domain email

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	4e42ac21ed5898fd75221a2f1164a107	—	2025-01-22
FileHash-MD5	b4690045862e6c21fb180dd6dcb6b6b3	—	2025-01-22
FileHash-SHA256	b0827dc54349b10098a7370ada4ea44ba668b264ccca2db5676be1c32e6cc154	—	2025-01-22
FileHash-SHA256	d303047205dabec8e2d34431e920ebe3478ca80a18f57bf454da094aca0e10aa	—	2025-01-22
URL	https://app.checkpolicy.site/accept-terms-policy?e=victim@example.com	—	2025-01-22
URL	https://app.checkpolicy.site/extension-privacy-policy?e=victime@example.com	—	2025-01-22
URL	https://graphqlnetwork.pro/ai-graphqlnetwork	—	2025-01-22
domain	adsblockforyoutube.site	—	2025-01-22
domain	adskiper.net	—	2025-01-22
domain	aiforgemini.com	—	2025-01-22
domain	bardaiforchrome.live	—	2025-01-22
domain	blockforads.com	—	2025-01-22
domain	castorus.info	—	2025-01-22
domain	chataiassistant.pro	—	2025-01-22
domain	chatgptextension.site	—	2025-01-22
domain	chatgptextent.pro	—	2025-01-22
domain	chatgptforsearch.com	—	2025-01-22
domain	checkpolicy.site	—	2025-01-22
domain	chromeforextension.com	—	2025-01-22
domain	chromewebstore-noreply.com	—	2025-01-22
domain	cyberhavenext.pro	—	2025-01-22
domain	dearflip.pro	—	2025-01-22
domain	extensionbuysell.com	—	2025-01-22
domain	extensionpolicy.net	—	2025-01-22
domain	extensionpolicyprivacy.com	—	2025-01-22
domain	geminiaigg.pro	—	2025-01-22
domain	geminiforads.com	—	2025-01-22
domain	goodenhancerblocker.site	—	2025-01-22
domain	gpt4chrome.live	—	2025-01-22
domain	gptdetector.live	—	2025-01-22
domain	gptforads.info	—	2025-01-22
domain	gptforbusiness.site	—	2025-01-22
domain	graphqlnetwork.pro	—	2025-01-22
domain	internetdownloadmanager.pro	—	2025-01-22
domain	internxtvpn.pro	—	2025-01-22
domain	iobit.pro	—	2025-01-22
domain	linewizeconnect.com	—	2025-01-22
domain	locallyext.ink	—	2025-01-22
domain	moonsift.store	—	2025-01-22
domain	openaigptforgg.site	—	2025-01-22
domain	parrottalks.info	—	2025-01-22
domain	pieadblock.pro	—	2025-01-22
domain	policyextension.info	—	2025-01-22
domain	primusext.pro	—	2025-01-22
domain	promptheusgpt.info	—	2025-01-22
domain	savechatgpt.site	—	2025-01-22
domain	savegpt.pro	—	2025-01-22
domain	savegptforchrome.com	—	2025-01-22
domain	savegptforyou.live	—	2025-01-22
domain	savgptforchrome.pro	—	2025-01-22
domain	searchaiassitant.info	—	2025-01-22
domain	searchcopilot.co	—	2025-01-22
domain	searchgptchat.info	—	2025-01-22
domain	supportchromestore.com	—	2025-01-22
domain	tinamind.info	—	2025-01-22
domain	ultrablock.pro	—	2025-01-22
domain	uvoice.live	—	2025-01-22
domain	videodownloadhelper.pro	—	2025-01-22
domain	vidnozflex.live	—	2025-01-22
domain	wakelet.ink	—	2025-01-22
domain	wayinai.live	—	2025-01-22
domain	youtubeadsblocker.live	—	2025-01-22
domain	ytbadblocker.com	—	2025-01-22
domain	yujaverity.info	—	2025-01-22
email	chromewebstore-noreply@chromeforextension.com	—	2025-01-22
email	chromewebstore-noreply@supportchromestore.com	—	2025-01-22

References (1)

↗ https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/