{ "type": "Domain", "indicator": "extensionsupdate.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/extensionsupdate.com", "alexa": "http://www.alexa.com/siteinfo/extensionsupdate.com", "indicator": "extensionsupdate.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 3732008644, "indicator": "extensionsupdate.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "64cc04f4a7999cd603aad8d6", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3", "description": "Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.", "modified": "2023-08-03T19:51:41.834000", "created": "2023-08-03T19:50:12.519000", "tags": [ "Rilide Stealer", "Banking", "Chrome" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Banks", "Government", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "domain": 18 }, "indicator_count": 177, "is_author": false, "is_subscribing": null, "subscriber_count": 386640, "modified_text": "1032 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67dd90a215aee67faa59f106", "name": "Rilide: An Information Stealing Browser Extension", "description": "Rilide is an information stealer masquerading as a browser extension that is designed to steal personal information, log passwords and steal credentials for cryptocurrency wallets, according to research published by CyberChef.", "modified": "2025-04-20T16:04:48.699000", "created": "2025-03-21T16:15:30.763000", "tags": [ "threat intelligence", "malware", "rilide", "powershell", "figure", "google drive", "vmray", "bitcoin address", "iocs", "cyberchef", "strong", "learn", "twitter", "april", "august", "dropper", "virustotal", "facebook", "restrict" ], "references": [ "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 14, "domain": 17, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d0a9b2cce537163168827e", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 | Trustwave", "description": "", "modified": "2023-08-07T08:22:10.520000", "created": "2023-08-07T08:22:10.520000", "tags": [ "rilide", "rilide stealer", "manifest v3", "twitter", "c2 server", "rilide malware", "chrome web", "store", "permhash", "palo alto", "play", "phorpiex", "april", "redline stealer", "bumblebee", "iceid", "discord", "exploit", "anydesk", "night" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1029 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ce7033ece5f78f8281a21d", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3", "description": "Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.", "modified": "2023-08-05T15:52:19.804000", "created": "2023-08-05T15:52:19.804000", "tags": [ "sha1", "sha256", "rilide c2", "domain", "file name", "hash type", "hashes", "riot revelry", "night", "revelry" ], "references": [ "Rilide_Stealer_IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ASQ505sa", "id": "217420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 52, "URL": 2, "domain": 16, "hostname": 2 }, "indicator_count": 176, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "1030 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ccfd464f3fbe3a0bce24b9", "name": "New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3", "description": "", "modified": "2023-08-04T13:29:42.189000", "created": "2023-08-04T13:29:42.189000", "tags": [], "references": [ "August 4th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2975 - New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 17, "hostname": 2 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1031 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64cbc9c43e7f0344f99a9bb2", "name": "New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3", "description": "Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.\n\n\"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures,\" Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News.", "modified": "2023-08-03T15:37:39.721000", "created": "2023-08-03T15:37:39.721000", "tags": [ "rilide", "rilide stealer", "manifest v3", "twitter", "c2 server", "rilide malware", "chrome web", "store", "permhash", "palo alto", "play", "phorpiex", "april", "redline stealer", "bumblebee", "iceid", "discord", "exploit", "anydesk", "night", "v2", "globalprotect", "hosting rilide", "serving rilide", "redline", "threat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/", "https://thehackernews.com/2023/08/new-version-of-rilide-data-theft.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "V2", "display_name": "V2", "target": null }, { "id": "GlobalProtect", "display_name": "GlobalProtect", "target": null }, { "id": "Hosting Rilide", "display_name": "Hosting Rilide", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Serving Rilide", "display_name": "Serving Rilide", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Banks", "Government", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1032 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://thehackernews.com/2023/08/new-version-of-rilide-data-theft.html", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/", "Rilide_Stealer_IOCs.csv", "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/", "August 4th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2975 - New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3.pdf" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Rilide" ], "industries": [ "Banks", "Crypto", "Government" ] }, "other": { "adversary": [], "malware_families": [ "V2", "Redline", "Globalprotect", "Rilide", "Phorpiex", "Threat", "Hosting rilide", "Serving rilide" ], "industries": [ "Banks", "Crypto", "Government" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "64cc04f4a7999cd603aad8d6", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3", "description": "Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.", "modified": "2023-08-03T19:51:41.834000", "created": "2023-08-03T19:50:12.519000", "tags": [ "Rilide Stealer", "Banking", "Chrome" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Banks", "Government", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 397, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "domain": 18 }, "indicator_count": 177, "is_author": false, "is_subscribing": null, "subscriber_count": 386640, "modified_text": "1032 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "67dd90a215aee67faa59f106", "name": "Rilide: An Information Stealing Browser Extension", "description": "Rilide is an information stealer masquerading as a browser extension that is designed to steal personal information, log passwords and steal credentials for cryptocurrency wallets, according to research published by CyberChef.", "modified": "2025-04-20T16:04:48.699000", "created": "2025-03-21T16:15:30.763000", "tags": [ "threat intelligence", "malware", "rilide", "powershell", "figure", "google drive", "vmray", "bitcoin address", "iocs", "cyberchef", "strong", "learn", "twitter", "april", "august", "dropper", "virustotal", "facebook", "restrict" ], "references": [ "https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1104", "name": "Multi-Stage Channels", "display_name": "T1104 - Multi-Stage Channels" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1560", "name": "Archive Collected Data", "display_name": "T1560 - Archive Collected Data" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "arringtont", "id": "6086", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_6086/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "BitcoinAddress": 1, "FileHash-MD5": 1, "FileHash-SHA1": 1, "FileHash-SHA256": 1, "URL": 14, "domain": 17, "hostname": 3 }, "indicator_count": 38, "is_author": false, "is_subscribing": null, "subscriber_count": 104, "modified_text": "406 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "65539ae80b7b6e0d9c669216", "name": "Test Pulse", "description": "", "modified": "2023-12-16T16:02:10.435000", "created": "2023-11-14T16:06:00.013000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "gzerphPer", "id": "197016", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 3, "URL": 189, "FileHash-MD5": 442, "FileHash-SHA1": 395, "FileHash-SHA256": 659, "email": 1, "hostname": 298, "domain": 515, "FilePath": 12 }, "indicator_count": 2514, "is_author": false, "is_subscribing": null, "subscriber_count": 1, "modified_text": "897 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64d0a9b2cce537163168827e", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 | Trustwave", "description": "", "modified": "2023-08-07T08:22:10.520000", "created": "2023-08-07T08:22:10.520000", "tags": [ "rilide", "rilide stealer", "manifest v3", "twitter", "c2 server", "rilide malware", "chrome web", "store", "permhash", "palo alto", "play", "phorpiex", "april", "redline stealer", "bumblebee", "iceid", "discord", "exploit", "anydesk", "night" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "parvesh4399", "id": "224939", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 181, "is_author": false, "is_subscribing": null, "subscriber_count": 55, "modified_text": "1029 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ce7033ece5f78f8281a21d", "name": "New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3", "description": "Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers.", "modified": "2023-08-05T15:52:19.804000", "created": "2023-08-05T15:52:19.804000", "tags": [ "sha1", "sha256", "rilide c2", "domain", "file name", "hash type", "hashes", "riot revelry", "night", "revelry" ], "references": [ "Rilide_Stealer_IOCs.csv" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "ASQ505sa", "id": "217420", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 52, "URL": 2, "domain": 16, "hostname": 2 }, "indicator_count": 176, "is_author": false, "is_subscribing": null, "subscriber_count": 33, "modified_text": "1030 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64ccfd464f3fbe3a0bce24b9", "name": "New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3", "description": "", "modified": "2023-08-04T13:29:42.189000", "created": "2023-08-04T13:29:42.189000", "tags": [], "references": [ "August 4th, 2023 - CryptoGen Cyber Threat Intelligence Advisory #2975 - New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "cryptocti", "id": "110256", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_110256/resized/80/avatar_e237a4257c.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 17, "hostname": 2 }, "indicator_count": 180, "is_author": false, "is_subscribing": null, "subscriber_count": 499, "modified_text": "1031 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "64cbc9c43e7f0344f99a9bb2", "name": "New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3", "description": "Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency.\n\n\"It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3, and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures,\" Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News.", "modified": "2023-08-03T15:37:39.721000", "created": "2023-08-03T15:37:39.721000", "tags": [ "rilide", "rilide stealer", "manifest v3", "twitter", "c2 server", "rilide malware", "chrome web", "store", "permhash", "palo alto", "play", "phorpiex", "april", "redline stealer", "bumblebee", "iceid", "discord", "exploit", "anydesk", "night", "v2", "globalprotect", "hosting rilide", "serving rilide", "redline", "threat" ], "references": [ "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/new-rilide-stealer-version-targets-banking-data-and-works-around-google-chrome-manifest-v3/", "https://thehackernews.com/2023/08/new-version-of-rilide-data-theft.html" ], "public": 1, "adversary": "", "targeted_countries": [ "Australia", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "V2", "display_name": "V2", "target": null }, { "id": "GlobalProtect", "display_name": "GlobalProtect", "target": null }, { "id": "Hosting Rilide", "display_name": "Hosting Rilide", "target": null }, { "id": "Phorpiex", "display_name": "Phorpiex", "target": null }, { "id": "Serving Rilide", "display_name": "Serving Rilide", "target": null }, { "id": "Redline", "display_name": "Redline", "target": null }, { "id": "Threat", "display_name": "Threat", "target": null }, { "id": "Rilide", "display_name": "Rilide", "target": null } ], "attack_ids": [ { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [ "Banks", "Government", "Crypto" ], "TLP": "white", "cloned_from": null, "export_count": 320, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "dekaRituraj", "id": "99856", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_99856/resized/80/avatar_0e93d502b7.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 52, "FileHash-SHA1": 52, "FileHash-SHA256": 55, "URL": 2, "domain": 18, "hostname": 2 }, "indicator_count": 183, "is_author": false, "is_subscribing": null, "subscriber_count": 434, "modified_text": "1032 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "extensionsupdate.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "extensionsupdate.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780303685.9358857 }