{ "id": "b0ab4d4d-19c4-4428-bd36-716d454c42f1", "created_at": "2026-04-06T00:13:42.288224Z", "updated_at": "2026-04-10T13:12:55.54867Z", "deleted_at": null, "sha1_hash": "692d0f2f5daf57087b717a6c3eb7261237b6bf90", "title": "ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3961615, "plain_text": "ParaSiteSnatcher How Malicious Chrome Extensions Target Brazil\r\nBy By: Aliakbar Zahravi, Peter Girnus Nov 23, 2023 Read time: 12 min (3275 words)\r\nPublished: 2023-11-23 · Archived: 2026-04-05 15:41:00 UTC\r\nCyber Threats\r\nWe detail the modular framework of malicious Chrome extensions that consist of various highly obfuscated\r\ncomponents that leverage Google Chrome API to monitor, intercept, and exfiltrate victim data.\r\nOur investigations on potential security threats uncovered a malicious Google Chrome extension that we named\r\n“ParaSiteSnatcher.” The ParaSiteSnatcher framework allows threat actors to monitor, manipulate, and exfiltrate\r\nhighly sensitive information from multiple sources. ParaSiteSnatcher also utilizes the powerful Chrome Browser\r\nAPI to intercept and exfiltrate all POST requests containing sensitive account and financial information before the\r\nHTTP request initiates a transmission control protocol (TCP) connection.\r\nOur research shows that the malicious extension is specifically designed to target users in Latin America,\r\nparticularly Brazil; it exfiltrates data from Banco do Brasil- and Caixa Econômica Federal (Caixa)-related URLs.\r\nIt can also initiate and manipulate transactions in PIX, a Brazilian instant payment ecosystem, and payments made\r\nthrough Boleto Bancario, another payment method regulated by the Bank of Brazil. We also observed that it can\r\nexfiltrate Brazilian Tax ID numbers for both individuals and businesses, as well as cookies, including those used\r\nfor Microsoft accounts.  \r\nOnce installed, the extension manifests with the help of extensive permissions enabled through the Chrome\r\nextension, allowing it to manipulate web sessions, web requests, and track user interactions across multiple tabs\r\nusing the Chrome tabs API. The malware includes various components that facilitate its operation, content scripts\r\nthat enable malicious code injection into web pages, monitor Chrome tabs, and intercept user input and web\r\nbrowser communication.\r\nIt is worth noting that while ParaSiteSnatcher specifically targets Google Chrome browsers, the malicious\r\nextension will also work on browsers that support Chrome extension API and runtime, such as Chromium-based\r\nbrowsers like newer versions of Microsoft Edge, Brave, and Opera. These extensions could potentially be\r\ncompatible with Firefox and Safari as well, but changes such as the browser namespace are necessary.\r\nThe ParaSiteSnatcher downloader\r\nParaSiteSnatcher is downloaded through a VBScript downloader hosted on Dropbox and Google Cloud and\r\ninstalled onto an infected system. \r\nOur analysis has identified three distinct variants of the VBScript downloader, which are characterized by\r\ndiffering levels of obfuscation and complexity:\r\n \r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 1 of 22\n\nVariant 1. This variant presents a straightforward approach where the payload is not obfuscated, making it\r\nrelatively easier to analyze and understand.\r\n \r\nVariant 2. In this iteration, critical strings within the payload are obfuscated using a Reverse String\r\ntechnique. This adds a layer of complexity to the code, requiring a reverse operation to decipher the\r\noriginal content.\r\n \r\nVariant 3. This variant incorporates additional obfuscation techniques. It includes junk code that serves to\r\nconfuse the analysis process, anti-debug and anti-tamper protections, alongside the use of randomly\r\ngenerated names for variables and functions to prevent easy pattern detection. It also utilizes Reverse\r\nString obfuscation to further conceal the payload, presenting a more challenging structure for analysts to\r\ndecipher.\r\nUpon execution, the downloader performs an initial check for the presence of the\r\n%ProgramFiles%\\Google\\Chrome\\Application\\chrome.exe file, and the %APPDATA%\\%USERNAME% folder. If\r\nfound not present, the script will terminate its process.\r\nFigure 1. Verifying chrome installation and AppData path presence\r\nThe malware establishes communication with the attacker’s C\u0026C by constructing and sending a GET request to\r\nhxxps[:]//storage.googleapis[.]com/98jk3m5azb/-. The response from the server is an obfuscated list of URLs. \r\nThe malware then de-obfuscates this list with a series of string manipulations performed on the C\u0026C response that\r\nreverses the string back to its original order. It then replaces specific characters with their correct counterparts to\r\nreconstruct the URLs:\r\n \r\n\"[h]\" is replaced with \"https://\", specifying the protocol part of the URL.\r\n \r\n\"-\" is replaced with \".\", reconstructing the domain names.\r\n \r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 2 of 22\n\n\"_\" is substituted with \"/\", fixing the path structure.\r\n \r\n\"\u003e\" is replaced with \":\", correcting port specifications.\r\nFigure 2. De-obfuscating URLs from the C\u0026C response\r\nOnce the actual URLs are retrieved, they are used to download additional malicious modules masquerading as\r\nGoogle Chrome extensions.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 3 of 22\n\nFigure 3. The list of obfuscated URLs from the threat actor’s C\u0026C response\r\nThe first URL from above list (hxxps[:]//rezumdolly[.]com:8443/api/alert) is used to register an infected system\r\nand notify the attacker. The malware first utilizes the Windows Management Instrumentation (WMI) service to\r\nperform a query against the Win32_OperatingSystem class, which retrieves details about the operating system that\r\nare subsequently sent to the attacker’s C\u0026C server.\r\nFigure 4. ParaSiteSnatcher gathers the victim’s system information upon arrival\r\nIt then constructs a .json-formatted string that encapsulates several pieces of system information as follows:\r\ncomp. The computer's name, which can be used to uniquely identify the system on a network.\r\n \r\nuser. The registered user's name, providing insights into who uses or owns the system.\r\n \r\nversion. The operating system version, indicating the specific build and potential vulnerabilities.\r\n \r\narch. The architecture of the operating system (e.g., 32-bit or 64-bit), which is useful for tailoring further\r\nattacks to the system's specifications.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 4 of 22\n\ncaption. A descriptive label for the operating system, often including the edition (e.g., Windows 10 Pro).\r\nFigure 5. Registering an infected system with the attacker's command and control server\r\nThe malware uses the down() function to download and save ParaSiteSnatcher malicious extension modules on an\r\ninfected system’s %APPDATA%\\%USERNAME% directory.\r\nFigure 6. The ParaSiteSnatcher download function\r\nThe malware then attempts to locate and delete Chrome shortcuts by searching for any shortcuts that contain\r\n\"chrome.lnk\" in the Desktop, Public Desktop, and Quick Launch folders.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 5 of 22\n\nFigure 7. ParaSiteSnatcher removing Chrome shortcuts from the victim’s Desktop and Quick\r\nLaunch folders with VBScript\r\nTo achieve persistence on the victim’s system and load malicious execution on every execution, the malware\r\ncreates a Google Chrome shortcut on the desktop, which is configured to launch the browser with custom startup\r\nparameters. These parameters include the specification of a default user profile directory and the initiation of a\r\nmalicious browser extension housed within the user's application data folder. This process is engineered to ensure\r\nthat the malicious extension is loaded each time Chrome is started via the created shortcut.\r\nFigure 8. The malware’s persistence\r\nExtension and C\u0026C communication\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 6 of 22\n\nFigure 9. A diagram showing how the different components of the ParaSiteSnatcher Chrome\r\nextension communicate.\r\nThe communication mechanism employed by ParaSiteSnatcher Chrome extensions rely heavily on using the\r\nChrome sendMessage API to communicate with various extension components when specific conditions are met. \r\nWhen messages are received, the malicious Chrome extension executes internal functions on these events: some\r\ncomponents pass along the targeted and processed and targeted data directly to the attacker C\u0026C, while most of\r\nthe other components contain logic that can receive and update commands directly from the threat actor. \r\nThe extension’s service worker, which we will discuss further into this blog, leverages the chrome.windows and\r\nchrome.tabs API for navigating and focusing the document object model (DOM) that other ParaSiteSnatcher\r\ncomponents rely on. \r\nAnalyzing ParaSiteSnatcher Chrome extension files\r\nIn this section we explore the various files that comprise the ParaSiteSnatcher Framework's malicious Chrome\r\nextension. \r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 7 of 22\n\nFigure 10. Properties of the malicious Chrome extension we investigated\r\nEvery Google Chrome extension includes a manifest.json file in its root directory. This background manifest key\r\ncontains essential information, such as the extension’s name, version, permissions, and any scripts associated with\r\nthe Chrome extension. The extension uses a service worker (yyva.js) as part of its background processes for\r\nhandling tasks, orchestrating modules and data synchronization in the background.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 8 of 22\n\nFigure 11. The manifest.json file in the ParaSiteSnatcher’s root directory\r\nThe manifest.json file contains the following:\r\nBasic metadata. This includes the name, description, version, and author key of the browser extension. \r\nService workers. These are JavaScript files that act as the extension's primary event handler. These events\r\ninclude more than just servicing web requests and can respond to events like navigating a new page,\r\nclicking notifications, and opening or closing tabs. Not that Chrome makes the critical distinction between\r\na web service worker and an extension service worker to highlight that the extension service worker is more\r\nthan just a web request proxy service. The service worker specified in the background key is the extension\r\nservice worker.\r\nContent scripts. These allow developers to statistically load JavaScript files when webpages are opened\r\nthat match a specific URL pattern.\r\n Permissions. These determine which capabilities are exposed to their respective extension. \r\nIn the sample of the ParaSiteSnatcher extension we investigated, we saw some critical content_script keys that\r\ndetermine what scripts are injected, where they are injected, and how they behave:\r\nmatches. This type of key specifies the pattern to be used for matching. The \u003call_urls\u003e value matches any\r\nURL that starts with a permitted scheme, such as http, https, and file.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 9 of 22\n\nrun_at. This key specifies when the script should be injected into the page, where the document_end value\r\ninjects the script while the page resources are still loading.\r\nall_frames. This is a Boolean value.  When set to true, the extension will inject scripts into all \u003ciframe\u003e\r\nelements even if the frame is not the topmost in the tab.\r\npersistent. When the persistent Boolean value is true, the extension developer can access\r\nthe chrome.webRequest API to block or modify network requests. This is the only use case for setting\r\nthe persistent boolean to true; by default, this value is set to false for performance reasons. \r\nAdditionally, the malicious extension contained host_permissions among the permissions in its manifest file. The\r\nhost_permission key grants extra permissions for the extension’s API to read and modify host data such as\r\naccessing the API cookies, receiving events using the webRequest API, programmatically injecting scripts,\r\nbypassing tracking protections, and reading tab-specific metadata. It can also access XMLHttpRequest and fetch\r\naccess to origins without cross-origin restrictions. \r\nIf an extension uses the host_permissions key, the user could be prompted to grant these permissions to the\r\nextension. As of June 2023, Safari, Firefox, and some Chromium-based browsers don't prompt the user during\r\ninstallation. In this malicious sample, the host_permissions allow the extension to read and modify all URLs using\r\nthe \u003call_urls\u003e value.\r\nParaSiteSnatcher also contains the permissions JSON key, which contains specific WebExtension API keywords\r\nthat the extension requests to use. The malicious extension requests the following WebExtension JavaScript APIs:\r\nwebNavigation. This API adds an event listener for various stages of navigation, such as in response to a\r\nuser action, like clicking a link or adding a URL in the location bar.\r\n notifications. This API allows extensions to create and display notifications to users in the system tray.\r\ndeclarativeNetRequest. This API allows extensions to specify conditions and actions on handling network\r\nrequests, allowing extensions to block and upgrade network requests without explicit host permissions.\r\ndeclarativeNetRequestFeedback. This API allows extensions to access functions and events that return\r\ninformation on declarative rules, such as those through the declarativeNetrequest API.\r\nscripting. The scripting API allows the insertion of JavaScript into websites, such as through the\r\nscripting.executeScript() and scripting.registerContentScripts() methods.\r\nwebRequest. The webRequest API grants access to add event listeners to HTTP and WebSocket requests.\r\nThese event listeners can receive detailed information about such requests, including the ability to modify\r\nand cancel these requests.\r\n storage. The storage API allows extensions to store and receive data and listen for changes in stored data.\r\ntabs. The tabs API allows extensions to interact with the Chrome browser’s tab system, including creating,\r\nmodifying, and rearranging browser tabs. This powerful API also includes taking screenshots and\r\ncommunicating with a tab’s content scripts.\r\nactiveTab. This API permits access to the currently active tab when users execute browser and page\r\nactions.\r\ncookies. The cookies API allows the extension to query and modify cookies and be notified of cooking\r\nchanges.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 10 of 22\n\nIt is important to note that many other API permissions exist in Chrome for developers API Reference. From a\r\nsecurity perspective, it is essential to understand that web browser extensions can declare many permissions, and\r\nnot all extensions will request the user to grant explicit access. This highlights the essential need to understand\r\nwhat any downloaded extension does and its declared permission levels. \r\nThis component is an Extension Service Worker or Service Worker, the central event handler for Google Chrome\r\nextensions that handles web events and messages from other extension components. The extension service worker\r\ncan respond to standard service worker events in addition to extension events, such as navigating to a new page,\r\nclicking a notification, or closing a tab. This service worker is declared with the service_worker key.\r\nIn our research, all extension components are highly obfuscated, but after deobfuscating each component and\r\ncleaning up the code, we uncovered the following important extension service worker features working with the\r\nChrome API:\r\nEvent listening and handling. The yavvy.js service worker is tasked with listening for events using the\r\nchrome.runtime.onMessage.addListener API. Within Chrome extensions, various components can leverage\r\nthe Chrome API to message each other using the sendMessage API. The service worker is specifically\r\ntasked with listening for navigation, focus, and getcookies messages.\r\n \r\nListening and intercepting POST requests. The yavvy.js service worker uses the\r\nChrome.webRequest.onBeforeRequest.addListener to create a callback function to listen for web request\r\nevents containing a POST request, as well as gather tab information using the chrome.tabs.get API, which\r\nit uses for analysis.\r\nFigure 12. ParaSiteSnatcher uses chrome.runtime.onMessage.addListener to listen for specific\r\nevents.\r\nDespite its extensive listening, it is worth noting that ParaSiteSnatcher excludes local network addresses and C\u0026C\r\ndomain from its monitoring.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 11 of 22\n\nFigure 13. ParaSiteSnatcher excludes local network addresses and C\u0026C domain from its\r\nmonitoring.\r\nIt also intercepts and monitors user activity, and handles the following messages received from other modules:\r\nmessageDetails.type == 'focus'\r\n \r\nmessageDetails.type == 'navigate'\r\n \r\nmessageDetails.type == 'getcookie'\r\nThe functions that handle the navigate and focus events use the chrome.windows and chrome.tabs API for\r\nnavigating and focusing the document object model (DOM). Other components of this malicious Chrome\r\nextension leverage these messages extensively.\r\nThis file is injected as a Chrome extension dependency and is a content script used primarily for Asynchronous\r\nJavaScript and XML (AJAX) communication with the attacker C\u0026C to exfiltrate sensitive data from infected\r\nusers.\r\nThis primary content script in the malicious Chrome extension periodically monitors specific forms and elements\r\non a webpage and sets up event listeners on certain buttons every two seconds. It leverages the Chrome runtime\r\nAPI using the chrome.runtime.onMessage.addListener API method to listen for the custom messages passed\r\nbetween various extension events with the types, “lixo,” “cookie,” and “timer.” When events with these message\r\ntypes are initiated, they in turn trigger ParaSiteSnatcher to run these specific functions: \r\nIntercepting POST requests. The lixo message is a catch-all event and does not look for specific URL\r\npatterns. Instead, it tracks all POST requests in which the attackers search for sensitive information such as\r\nusernames, passwords, emails, and credit card information. \r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 12 of 22\n\nFigure 14. ParaSiteSnatcher tracks all POST requests\r\nStealing cookies and user sessions. The cookie message sends a POST request to the attacker C\u0026C for\r\ncookie and session theft.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 13 of 22\n\nFigure 15. ParaSiteSnatcher also gathers data related to cookies.\r\nStealing Microsoft cookies. When cookies matching Microsoft live.com exist, the sovvy.js file sends a\r\nmessage using the chrome.runtime.sendMessage API to send this data to the service worker, which\r\nprocesses this data to filter and extract the found Microsoft account cookies. These can be leveraged for\r\naccount theft and pass-the-cookie attacks as well as pivoting to the cloud.\r\nFigure 16. ParaSiteSnatcher uses the chrome.runtime.sendMessage API to get a victim’s user\r\ninformation related to Microsoft accounts.\r\nStealing Banking Details. Our investigation of ParaSiteSnatcher revealed that the malicious extension\r\nconducts multiple URL checks related to Brazilian online banking companies, including Banco do Brasil\r\nand Caixa Econômica Federal. When the victim interacts with URLs related to these financial institutions,\r\nthe malicious Chrome extension begins processing the data, looking for items such as usernames,\r\npasswords, and credit cards numbers, and sending the data with a POST request to the attacker’s C\u0026C.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 14 of 22\n\nFigure 17. ParaSiteSnatcher looks out for communication with banking sites and get password\r\nentries by victims\r\nFetching commands from the attacker’s C\u0026C. Within this the sovvy.js script is the ability for the malicious\r\nChrome extension to retrieve commands from the attacker C\u0026C server with a standard HTTP GET request.\r\nFigure 18. sovvy.js contains script that retrieves commands from the threat actor’s C\u0026C server.\r\nThe 33nhuah.js file contains business logic to monitor bank account details and perform PIX instant payment\r\nactions. PIX is an instant payment platform created and regulated by the Banco Central do Brasil (Central Bank of\r\nBrazil). \r\nSome key features of this content script include HTML templates for password input forms, definitions for enum\r\ntype data representing command types, account information, PIX key types, and parameters for PIX transactions.\r\nThis content script also contains functions to monitor bank account balances and perform PIX transactions.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 15 of 22\n\nAdditionally, there are functions that manipulate the user interface, such as setting and resetting forms, clicking on\r\nmenu items, and hiding or loading process indicators. \r\nThis content script uses the standard HTML DOM selector to find specific elements containing sensitive PIX\r\nelements such as receiving PIX institution names, and user account information such as:\r\nCPF/CNPJ (Brazilian Individual \u0026 Business Taxpayer Registration) details\r\n \r\nEmail addresses\r\n \r\nCellphone numbers\r\n \r\nPIX Keys\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 16 of 22\n\nFigure 19. ParaSiteSnatcher monitors activity related to PIX transactions, gathers victim data from\r\nthese transactions, and performs actions such as navigating the PIX menu and selecting buttons\r\nwithin its interface.\r\nThe content script unpgp2.js is designed to navigate, focus, and interact with the internet banking interface of the\r\nCaixa Econômica Federal’s web interface. This content script performs various actions such as navigating pages,\r\nfetching account details, focusing on elements, executing financial transactions and initiating PIX transactions.\r\nFigure 20. ParSiteSnatcher specifically looks for activity with URLs related to Caixa Econômica\r\nFederal.\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 17 of 22\n\nThis content script primarily contains logic that is used to periodically monitor windows and tabs content\r\nspecifically those that contain or are related to the following:\r\nBoleto Bancário \r\n \r\nThe CPF (Cadastro de Pessoas Físicas or Natural Persons Register) numbers of both the payer and receiver\r\nin transactions\r\n \r\nThe CNPJ (Cadastro Nacional da Pessoa Juridica or Taxpayer Identification) number of both the payer and\r\nreceiver in transactions \r\n \r\nBank payment slips\r\nThe logic contained in this content script is called during specific intervals to monitor the DOM and user-input\r\nthrough the sovvy.js content script. The s12ih0a.js content script will also POST elements such as telephone\r\nnumbers and email addresses to the attacker C\u0026C.\r\nFigure 21. The ParaSiteSnatcher data exfiltration to its C\u0026C server\r\nIn the following table, we summarize the functions of each ParaSiteSnatcher extension component:\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 18 of 22\n\nModule Name Functions\r\nyyva.js \r\nasync function timerMonitor()\r\nfunction getCookies()\r\nasync function navigate()\r\nasync function setFocusTab()\r\nfunction addLog()\r\nasync function analyzeRequest()\r\nsovvy.js \r\nfunction setCommandRetorno()\r\nfunction updateCmd()\r\nfunction timerMonitor()\r\nfunction postSession()\r\nfunction postLixo()\r\nfunction getCmd()\r\nfunction updateCmd()\r\nfunction updateStatusOn()\r\nfunction getVersion()\r\nfunction getUser()\r\nfunction getElement()\r\nfunction addlog()\r\nfunction trim()\r\nfunction toLowerCase()\r\nfunction extractDigits()\r\nfunction getForm()\r\nfunction preparePostData()\r\nfunction buildInputMap()\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 19 of 22\n\nfunction checkElementClick()\r\nfunction checkInputPost()\r\nfunction ValidateEmail()\r\nfunction GenerateToken()\r\nfunction SetToken()\r\nfunction updateUserId()\r\n33nhauh.js \r\nfunction monitorBB()\r\nfunction resetCommand_BB()\r\nfunction getSaldo_BB()\r\nfunction clickMenuSaldo()\r\nfunction focoTab_BB()\r\nfunction hideProcesso()\r\nfunction action_pix_BB()\r\nfunction checkComprovante()\r\nfunction setSConta()\r\nfunction setValor()\r\nfunction setChave()\r\nfunction clickMenuPix()\r\nfunction clickMenu()\r\nfunction setAccountPasswordForm()\r\nfunction getAgencyAndAccountNumber()\r\nfunction resetAccountPasswordForm()\r\ns12ih0a.js \r\nfunction monitor2Via()\r\nfunction setEventDesco()\r\nfunction setEventBB()\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 20 of 22\n\nfunction click_isPagina()\r\nfunction setMessageDesco()\r\nfunction setMessageBB()\r\nfunction setHtmlBB()\r\nfunction setHtmlDesco()\r\nfunction getDadosSegundaVia()\r\nfunction post2Via()\r\nfunction checkDebugging()\r\nfunction innerFunction()\r\nunpgp2.js \r\nfunction monitorAzul()\r\nfunction get_azul_ass()\r\nfunction get_azul_Saldo()\r\nfunction focoTab_Azul()\r\nfunction resetCommand_Azul()\r\nfunction get_azul_agcc()\r\nfunction azul_pedidos_automaticos()\r\nConclusion \r\nThe use of malicious Google Chrome extensions by leveraging the powerful Chrome API in ways specifically\r\ndesigned to intercept, exfiltrate, and potentially modify sensitive user data underscores the importance of being\r\nvigilant when granting permissions to extensions and when using web browsers. ParaSiteSnatcher’s multifaceted\r\napproach to obfuscate its arrival onto victim’s systems also ensures persistence and stealth, making detection and\r\nremoval efforts challenging, so users should be doubly watchful of the specific extensions they download and\r\ninstall onto their browsers. \r\nDespite our investigations showing that ParaSiteSnatcher specifically targets Google Chrome browsers, users who\r\nutilize other browsers that are Chromium-based and that support various APIs used by Chrome extensions should\r\nbe equally wary.\r\nIndicators of Compromise (IoCs)\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 21 of 22\n\nYou can find the full list of ParaSiteSnatcher IoCs here.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nhttps://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html\r\nPage 22 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.trendmicro.com/en_us/research/23/k/parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html" ], "report_names": [ "parasitesnatcher-how-malicious-chrome-extensions-target-brazil-.html" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434422, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/692d0f2f5daf57087b717a6c3eb7261237b6bf90.pdf", "text": "https://archive.orkl.eu/692d0f2f5daf57087b717a6c3eb7261237b6bf90.txt", "img": "https://archive.orkl.eu/692d0f2f5daf57087b717a6c3eb7261237b6bf90.jpg" } }