{
	"id": "4e83b4b1-e630-47f8-b881-73e411ccc326",
	"created_at": "2026-04-06T00:06:42.326147Z",
	"updated_at": "2026-04-10T03:36:19.149134Z",
	"deleted_at": null,
	"sha1_hash": "5d1682633db061c840b597ea17b4fd2976494ca0",
	"title": "GreedyBear: 650 Attack Tools, One Coordinated Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4476080,
	"plain_text": "GreedyBear: 650 Attack Tools, One Coordinated Campaign\r\nBy Tuval Admoni,,\r\nArchived: 2026-04-05 15:36:14 UTC\r\nWhat happens when cybercriminals stop thinking small and start thinking like a Fortune 500 company? You get\r\nGreedyBear, the attack group that just redefined industrial-scale crypto theft.\r\n150 weaponized Firefox extensions. nearly 500 malicious executables. Dozens of phishing websites. One\r\ncoordinated attack infrastructure. According to user reports, over $1 million stolen.\r\nWhile most groups pick a lane - maybe they do browser extensions, or they focus on ransomware, or they run\r\nscam phishing sites - GreedyBear said “why not all three?” And it worked. Spectacularly.\r\nMethod 1: Malicious Firefox Extensions (150+)\r\nThe group has published over 150 malicious extensions to the Firefox marketplace, each designed to\r\nimpersonate popular cryptocurrency wallets such as MetaMask, TronLink, Exodus, and Rabby Wallet.\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 1 of 8\n\nExodus Wallet risk report from Koidex risk engine\r\nThe threat actor operates using a technique we call Extension Hollowing to bypass marketplace security and user\r\ntrust mechanisms. Rather than trying to sneak malicious extensions past initial reviews, they build legitimate-seeming extension portfolios first, then weaponize them later when nobody’s watching.\r\nHere’s how the process works:\r\nPublisher Creation: They create a new publisher account in the marketplace\r\nGeneric Upload: They upload 5–7 innocuous-looking extensions like link sanitizers, YouTube\r\ndownloaders, and other common utilities with no actual functionality\r\nTrust Building: They post dozens of fake positive reviews for these generic extensions to build credibility\r\nWeaponization: After establishing trust, they “hollow out” the extensions — changing names, icons, and\r\ninjecting malicious code while keeping the positive review history\r\nThis approach allows GreedyBear to bypass marketplace security by appearing legitimate during the initial review\r\nprocess, then weaponizing established extensions that already have user trust and positive ratings.\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 2 of 8\n\nGeneric extensions uploaded by the attacker before weaponized\r\nThe weaponized extensions captures wallet credentials directly from user input fields within the extension’s own\r\npopup interface, and exfiltrate them to a remote server controlled by the group. During initialization, they also\r\ntransmit the victim’s external IP address, likely for tracking or targeting purposes.\r\nSnippet from the malicious code\r\nThis campaign originates from the same threat group behind our earlier Foxy Wallet campaign — which exposed\r\n40 malicious extensions — but the scale has now more than doubled, confirming that what began as a focused\r\neffort has evolved into a full-scale operation.\r\nReport from one of the victims of GreedyBear\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 3 of 8\n\nMethod 2: Malicious EXEs (Nearly 500 Samples)\r\nNearly 500 malicious Windows executables linked to the same infrastructure have been identified via\r\nVirusTotal. These .exe samples span multiple malware families, including:\r\nCredential stealers such as LummaStealer, which aligns with the group’s wallet-focused objectives.\r\nRansomware variants, some resembling families like Luca Stealer, designed to encrypt files and demand\r\ncrypto payments.\r\nA range of generic trojans, suggesting possible loader functionality or modular delivery.\r\nMost of the malicious executables are distributed through various Russian websites that distribute cracked, pirated\r\nor “repacked” software.\r\nOne of the trojans download page from rsload.net\r\nThis variety indicates the group is not deploying a single toolset, but rather operating a broad malware\r\ndistribution pipeline, capable of shifting tactics as needed.\r\nThe reuse of infrastructure across these binaries and the browser extensions points to a centralized backend,\r\nreinforcing that all components are part of a coordinated campaign run by the same threat group.\r\nMethod 3: Scam Sites Masquerading as Crypto Products \u0026 Services\r\nAlongside malware and extensions, the threat group has also launched a network of scam websites posing as\r\ncrypto-related products and services. These aren’t typical phishing pages mimicking login portals — instead,\r\nthey appear as slick, fake product landing pages advertising digital wallets, hardware devices, or wallet repair\r\nservices.\r\nExamples include:\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 4 of 8\n\nJupiter-branded hardware wallets with fabricated UI mockups\r\njup.co.com.trezor-wallet.io , jupiterwallet.co.com.trezor-wallet.io\r\nWallet-repair services claiming to fix Trezor devices\r\nsecure-wallets.co.com\r\nWhile these sites vary in design, their purpose appears to be the same: to deceive users into entering personal\r\ninformation, wallet credentials, or payment details — possibly resulting in credential theft, credit card fraud,\r\nor both.\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 5 of 8\n\nSome of these domains are active and fully functional, while others may be staged for future activation or\r\ntargeted scams.\r\nOne Server to Control Them All\r\nA striking aspect of the campaign is its infrastructure consolidation:\r\nAlmost all domains — across extensions, EXE payloads, and phishing sites — resolve to a single IP address:\r\n185.208.156.66\r\nConnection graph for 185.208.156.66\r\nThis server acts as a central hub for command-and-control (C2), credential collection, ransomware\r\ncoordination, and scam websites, allowing the attackers to streamline operations across multiple channels.\r\nFrom “Foxy Wallet” to a Global Threat\r\nThe campaign’s roots can be traced back to our Foxy Wallet report, which initially exposed 40 malicious Firefox\r\nextensions. At the time, it seemed like a small cluster of fraudulent add-ons. But with this new investigation, it’s\r\nnow clear: Foxy Wallet was just the beginning.\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 6 of 8\n\nThe campaign has since evolved the difference now is scale and scope: this has evolved into a multi-platform\r\ncredential and asset theft campaign, backed by hundreds of malware samples and scam infrastructure.\r\nSigns of Expansion Beyond Firefox\r\nA few months ago, our team uncovered a malicious Chrome extension named “Filecoin Wallet” that used the\r\nsame credential-theft logic seen in the current Firefox campaign. At the time, it appeared isolated — but we can\r\nnow confirm it communicated with a domain hosted on the same server: 185.208.156.66.\r\nThis connection strongly suggests that the threat group is not Firefox-exclusive, and is likely testing or\r\npreparing parallel operations in other marketplaces.\r\nIt’s only a matter of time before we see this campaign expand to Chrome, Edge, and other browser ecosystems.\r\nScaling Cybercrime with AI\r\nOver the years, we’ve tracked countless cybercrime campaigns - but what we’re seeing now is different. With the\r\nrise of modern AI tooling, the volume, speed, and complexity of attacks like GreedyBear are growing at an\r\nunprecedented pace.\r\nOur analysis of the campaign’s code shows clear signs of AI-generated artifacts. This makes it faster and easier\r\nthan ever for attackers to scale operations, diversify payloads, and evade detection.\r\nThis isn’t a passing trend — it’s the new normal. As attackers arm themselves with increasingly capable AI,\r\ndefenders must respond with equally advanced security tools and intelligence. The arms race has already begun,\r\nand legacy solutions won’t cut it.\r\nWe want to thank Lotem Khahana from StarkWare for helping with the investigation.\r\nThis writeup was authored by the research team at Koi Security, with a healthy dose of paranoia and hope for a\r\nsafer open-source ecosystem.\r\nAmazingly, we’ve initially uncovered all of this just a couple of days after MITRE introduced its newest category:\r\nIDE Extensions, even further emphasizing the importance of securing this space.\r\nFor too long, the use of untrusted third-party code, often running with the highest privileges has flown under the\r\nradar for both enterprises and attackers. That era is ending. The tide is shifting.\r\nWe’ve built Koi to meet this moment; for practitioners and enterprises alike. Our platform helps discover, assess,\r\nand govern everything your teams pull from marketplaces like the Chrome Web Store, VSCode, Hugging Face,\r\nHomebrew, GitHub, and beyond.\r\nTrusted by Fortune 50 organizations, BFSIs and some of the largest tech companies in the world, Koi automates\r\nthe security processes needed to gain visibility, establish governance, and proactively reduce risk across this\r\nsprawling attack surface.\r\nIf you’re curious about our solution or ready to take action, book a demo or hit us up here 🤙\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 7 of 8\n\nWe’ve got some more surprises up our sleeve to come soon, stay tuned.\r\nIOCs\r\n185.208.156.66\r\n185.39.206.135\r\nDomains:\r\nFirefox Extension IDs:\r\nChrome extension IDs:\r\nplbdecidfccdnfalpnbjdilfcmjichdk\r\nExecutables:\r\nSee full list here\r\nSource: https://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nhttps://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.koi.ai/blog/greedybear-650-attack-tools-one-coordinated-campaign"
	],
	"report_names": [
		"greedybear-650-attack-tools-one-coordinated-campaign"
	],
	"threat_actors": [
		{
			"id": "374d0e90-1704-4e53-9c6c-7ea4823fc33a",
			"created_at": "2026-02-03T02:00:03.442287Z",
			"updated_at": "2026-04-10T02:00:03.941488Z",
			"deleted_at": null,
			"main_name": "GreedyBear",
			"aliases": [],
			"source_name": "MISPGALAXY:GreedyBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434002,
	"ts_updated_at": 1775792179,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5d1682633db061c840b597ea17b4fd2976494ca0.pdf",
		"text": "https://archive.orkl.eu/5d1682633db061c840b597ea17b4fd2976494ca0.txt",
		"img": "https://archive.orkl.eu/5d1682633db061c840b597ea17b4fd2976494ca0.jpg"
	}
}