{ "type": "Domain", "indicator": "savegptforchrome.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/savegptforchrome.com", "alexa": "http://www.alexa.com/siteinfo/savegptforchrome.com", "indicator": "savegptforchrome.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4025183358, "indicator": "savegptforchrome.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "67911c6446b0ab9591b82cad", "name": "Targeted supply chain attack against Chrome browser extensions", "description": "In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.", "modified": "2025-02-21T16:00:53.144000", "created": "2025-01-22T16:27:16.545000", "tags": [ "supply chain", "credentials", "phishing", "data harvesting", "browser extensions" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 57, "email": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6780a344bb58bb0f16d99226", "name": "Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure", "description": "A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.", "modified": "2025-01-10T08:35:58.191000", "created": "2025-01-10T04:34:12.807000", "tags": [ "chrome extension", "phishing", "certificate rotation", "domain spoofing" ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Germany", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 44, "hostname": 21 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "506 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4201ac174a03171235ef", "name": "Targeted supply chain attack against Chrome browser extensions - Sekoia.io Blog", "description": "A security firm, Sekoia, has uncovered a supply chain attack against Chrome browser extensions, which it believes may have been carried out since at least 2023 and possibly even earlier, according to its analysis.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:58:09.517000", "tags": [ "chrome", "december", "chrome web", "store", "c2 server", "cyberhaven", "chatgpt", "urls", "post request", "chrome browser", "facebook", "phishing", "requires", "john", "stealc", "vidar", "raccoon" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 63, "email": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure", "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/", "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [] }, "other": { "adversary": [], "malware_families": [], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "67911c6446b0ab9591b82cad", "name": "Targeted supply chain attack against Chrome browser extensions", "description": "In December 2024, a threat actor successfully compromised around a dozen legitimate Chrome browser extensions by exploiting extension developers' permissions gained through phishing attacks. The malicious code injected into the compromised extensions aimed to harvest sensitive user data like API keys, session cookies, and authentication tokens from websites such as ChatGPT and Facebook for Business. The analysis sheds light on the targeted phishing campaign, the adversary's infrastructure, and provides remediation steps along with technical indicators.", "modified": "2025-02-21T16:00:53.144000", "created": "2025-01-22T16:27:16.545000", "tags": [ "supply chain", "credentials", "phishing", "data harvesting", "browser extensions" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 81, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 57, "email": 2 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "464 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "6780a344bb58bb0f16d99226", "name": "Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure", "description": "A phishing attack targeting a Cyberhaven employee led to the compromise of their Google Chrome extension. The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.", "modified": "2025-01-10T08:35:58.191000", "created": "2025-01-10T04:34:12.807000", "tags": [ "chrome extension", "phishing", "certificate rotation", "domain spoofing" ], "references": [ "https://hunt.io/blog/cyberhaven-extension-compromise-tls-certificate-links-infrastructure" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "France", "Germany", "Singapore" ], "malware_families": [], "attack_ids": [ { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1552", "name": "Unsecured Credentials", "display_name": "T1552 - Unsecured Credentials" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1598", "name": "Phishing for Information", "display_name": "T1598 - Phishing for Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 53, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1, "domain": 44, "hostname": 21 }, "indicator_count": 66, "is_author": false, "is_subscribing": null, "subscriber_count": 386552, "modified_text": "506 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "679a4201ac174a03171235ef", "name": "Targeted supply chain attack against Chrome browser extensions - Sekoia.io Blog", "description": "A security firm, Sekoia, has uncovered a supply chain attack against Chrome browser extensions, which it believes may have been carried out since at least 2023 and possibly even earlier, according to its analysis.", "modified": "2025-02-28T14:02:13.817000", "created": "2025-01-29T14:58:09.517000", "tags": [ "chrome", "december", "chrome web", "store", "c2 server", "cyberhaven", "chatgpt", "urls", "post request", "chrome browser", "facebook", "phishing", "requires", "john", "stealc", "vidar", "raccoon" ], "references": [ "https://blog.sekoia.io/targeted-supply-chain-attack-against-chrome-browser-extensions/#h-compromised-extensions" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1539", "name": "Steal Web Session Cookie", "display_name": "T1539 - Steal Web Session Cookie" }, { "id": "T1550", "name": "Use Alternate Authentication Material", "display_name": "T1550 - Use Alternate Authentication Material" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1583", "name": "Acquire Infrastructure", "display_name": "T1583 - Acquire Infrastructure" }, { "id": "T1586", "name": "Compromise Accounts", "display_name": "T1586 - Compromise Accounts" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1589", "name": "Gather Victim Identity Information", "display_name": "T1589 - Gather Victim Identity Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1134", "name": "Access Token Manipulation", "display_name": "T1134 - Access Token Manipulation" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 4, "FileHash-SHA1": 2, "FileHash-SHA256": 2, "URL": 3, "domain": 63, "email": 2 }, "indicator_count": 76, "is_author": false, "is_subscribing": null, "subscriber_count": 864, "modified_text": "457 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "savegptforchrome.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "savegptforchrome.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780246898.6039624 }