{ "type": "Domain", "indicator": "forextensions.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/forextensions.com", "alexa": "http://www.alexa.com/siteinfo/forextensions.com", "indicator": "forextensions.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4020197020, "indicator": "forextensions.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 2, "pulses": [ { "id": "676eb7ea8d206aea4fcd8efd", "name": "Cyber startup employee hacked to distribute malicious Chrome extension", "description": "Several Chrome extensions have been compromised, including those related to Cyberhaven. The affected extensions are linked to multiple suspicious domains resolving to the same IP address as cyberhavenext[.]pro. Some confirmed compromised extensions are listed with their corresponding URLs. Users are advised to search for these extensions in their environments and monitor for any traffic to the IP address 149.28.124[.]84. This information suggests a widespread attack targeting browser extensions, potentially putting users' data and privacy at risk.", "modified": "2025-02-01T13:03:40.916000", "created": "2024-12-27T14:21:30.415000", "tags": [ "Browser Extensions", "Chrome", "Cyberhaven" ], "references": [ "https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/", "https://therecord.media/cyberhaven-hack-google-chrome-extension", "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/", "https://www.extensiontotal.com/cyberhaven-incident-live" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "hostname": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677668bde78f11857f95a4db", "name": "New details reveal how hackers hijacked 35 Google Chrome extensions", "description": "A round-up of cybersecurity and cyberattack stories from the 21st Century, as reported by Bill Toulas, who was at the centre of a phishing campaign targeting Google Chrome developers.", "modified": "2025-01-02T10:21:49.921000", "created": "2025-01-02T10:21:49.921000", "tags": [ "chrome web", "store", "google", "facebook", "cyberhaven", "google groups", "december", "march", "facebook id", "chrome browser", "virustotal", "snowflake", "linux" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "515 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.extensiontotal.com/cyberhaven-incident-live", "https://therecord.media/cyberhaven-hack-google-chrome-extension", "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/", "https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [ "Linux" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 2, "pulses": [ { "id": "676eb7ea8d206aea4fcd8efd", "name": "Cyber startup employee hacked to distribute malicious Chrome extension", "description": "Several Chrome extensions have been compromised, including those related to Cyberhaven. The affected extensions are linked to multiple suspicious domains resolving to the same IP address as cyberhavenext[.]pro. Some confirmed compromised extensions are listed with their corresponding URLs. Users are advised to search for these extensions in their environments and monitor for any traffic to the IP address 149.28.124[.]84. This information suggests a widespread attack targeting browser extensions, potentially putting users' data and privacy at risk.", "modified": "2025-02-01T13:03:40.916000", "created": "2024-12-27T14:21:30.415000", "tags": [ "Browser Extensions", "Chrome", "Cyberhaven" ], "references": [ "https://www.linkedin.com/posts/jaimeblasco_regarding-the-cyberhaven-chrome-extension-activity-7278237969637941248-qBEj/", "https://therecord.media/cyberhaven-hack-google-chrome-extension", "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/", "https://www.extensiontotal.com/cyberhaven-incident-live" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1567", "name": "Exfiltration Over Web Service", "display_name": "T1567 - Exfiltration Over Web Service" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 78, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 74, "hostname": 1 }, "indicator_count": 75, "is_author": false, "is_subscribing": null, "subscriber_count": 386837, "modified_text": "485 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "677668bde78f11857f95a4db", "name": "New details reveal how hackers hijacked 35 Google Chrome extensions", "description": "A round-up of cybersecurity and cyberattack stories from the 21st Century, as reported by Bill Toulas, who was at the centre of a phishing campaign targeting Google Chrome developers.", "modified": "2025-01-02T10:21:49.921000", "created": "2025-01-02T10:21:49.921000", "tags": [ "chrome web", "store", "google", "facebook", "cyberhaven", "google groups", "december", "march", "facebook id", "chrome browser", "virustotal", "snowflake", "linux" ], "references": [ "https://www.bleepingcomputer.com/news/security/new-details-reveal-how-hackers-hijacked-35-google-chrome-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Linux", "display_name": "Linux", "target": null } ], "attack_ids": [ { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 28, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 3 }, "indicator_count": 3, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "515 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "forextensions.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "forextensions.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780388848.8805244 }