A new malware campaign is targeting cryptocurrency users, and it doesn’t need to empty your wallet directly. Instead, it waits for the moment you’re about to make a transaction.
Researchers at McAfee have uncovered a malicious browser extension that silently replaces copied cryptocurrency wallet addresses with ones controlled by the attacker. If you don’t double-check the address before sending funds, the money ends up in the wrong wallet. Since cryptocurrency transactions are irreversible, there’s little chance of getting it back.
The malware arrives through unsigned .NET and Golang installers that quietly install a fake Chromium extension called “Google Notes.” At first glance, it looks like an ordinary note-taking tool. It even works as one, making it less likely that someone will question why it’s sitting in their browser.
But the real problem is what’s going on behind the scenes. The extension watches the clipboard for cryptocurrency wallet addresses across multiple blockchains. As soon as you copy one, it waits until you paste it and swaps it with an attacker-controlled address. Unless you’re in the habit of comparing the full wallet string before confirming a transfer, the change is easy to miss.
According to McAfee, the campaign appears to come from the same threat actor behind the CountLoader malware. Earlier versions relied on an in-memory crypto clipper. This one takes a different route by abusing browser extensions instead.
The installation method is one of the more interesting parts of the campaign. Rather than asking users to install the extension normally, the malware modifies protected Chromium settings files and recalculates the integrity values those browsers use to detect tampering. That makes browsers such as Google Chrome, Brave, and Microsoft Edge treat the extension as if nothing unusual happened.
That said, on recent Chrome and Edge builds, the browser must have Developer Mode enabled before the extension can run. That reduces the risk for many users, although McAfee notes that attackers could still rely on social engineering to convince victims to switch it on. People using older Chromium-based browsers face a higher risk because those protections are weaker or missing altogether.
The malware also avoids relying on a fixed command-and-control server. Instead, it queries a public blockchain RPC endpoint, reads data from a smart contract, and retrieves the current server from there. During its investigation, McAfee found it resolving to Zebregts[.]com. The approach, known as EtherHiding, lets attackers change their infrastructure without updating the malware itself, making takedowns more difficult.
McAfee’s telemetry shows infections across multiple countries, with India accounting for the largest share of detections. That suggests the attackers are after cryptocurrency users wherever they can find them rather than focusing on a particular region.
The fake Google Notes extension also asks for permissions that don’t make much sense for a simple notes app. It requests access to every website you visit, your browsing history, and your clipboard. Any extension asking for that level of access deserves a closer look before you click Install.
The discovery is another reminder that browser extensions can be just as risky as downloaded software. We recently reported on malicious Chrome and Firefox extensions posing as free VPNs, while Google also rolled out a Chrome security update that fixed 382 vulnerabilities.
The post This fake browser extension can quietly steal your cryptocurrency appeared first on PiunikaWeb.