This threat involves a phishing campaign that persuades victims to install a malicious Chrome browser extension through an attached file rather than via the official Chrome Web Store. The extension is disguised as a MAC address spoofer, a tool that ostensibly enhances privacy, and lures victims with the promise of a $50,000 prize. The attacker employs social engineering tactics and uses a domain that appears legitimate to build trust and encourage manual installation, which circumvents Chrome's automated security checks. Once installed, the extension intercepts user credentials during login processes across multiple services, capturing sensitive authentication data. The stolen credentials are then exfiltrated to a command-and-control server controlled by the attacker. The campaign leverages several MITRE ATT&CK techniques including T1059.007 (Command and Scripting Interpreter: JavaScript), T1204.002 (User Execution: Malicious File), T1176 (Browser Extensions), T1140 (Deobfuscate/Decode Files or Information), T1185 (Man in the Browser), T1102.002 (Web Service), T1027.002 (Obfuscated Files or Information), and T1056.004 (Input Capture: Credential API Hooking). The manual installation requirement and social engineering elements make this threat particularly insidious, as it bypasses automated defenses and relies on user trust and interaction. The campaign underscores the critical role of human analysis in identifying threats that evade automated detection systems.

For European organizations, this threat poses a significant risk to user credential confidentiality, potentially leading to unauthorized access to corporate accounts, sensitive data breaches, and lateral movement within networks. The manual installation vector means that employees who are not adequately trained in cybersecurity awareness are vulnerable, increasing the likelihood of successful compromise. Credential theft can facilitate further attacks such as business email compromise, financial fraud, and espionage. The use of a seemingly legitimate domain and social engineering increases the risk of widespread infection, especially in sectors with high-value targets or those reliant on Chrome browser extensions. The exfiltration of credentials to attacker-controlled servers can also lead to regulatory compliance issues under GDPR, with potential fines and reputational damage. The threat’s medium severity reflects the need for vigilance but also indicates that exploitation requires user interaction, somewhat limiting its automatic spread.

European organizations should implement targeted user awareness training focusing on the risks of installing browser extensions from unverified sources and the dangers of phishing campaigns promising unrealistic rewards. Enforce strict policies that prohibit manual installation of browser extensions outside of the official Chrome Web Store and use enterprise browser management tools to whitelist approved extensions only. Deploy endpoint detection and response (EDR) solutions capable of monitoring and alerting on suspicious browser extension behaviors, including credential interception and network communications to unknown IP addresses. Regularly audit installed browser extensions across the organization to detect unauthorized additions. Implement multi-factor authentication (MFA) on all critical services to reduce the impact of credential theft. Network monitoring should include inspection of outbound traffic to detect communication with known malicious IPs such as 194.146.41.102. Finally, encourage reporting of suspicious emails or attachments and conduct phishing simulation exercises to reinforce user vigilance.