{ "id": "a3f8e506-1ae4-4a5e-8616-c35de6d7eec4", "created_at": "2026-04-06T00:08:48.94411Z", "updated_at": "2026-04-10T13:12:23.263367Z", "deleted_at": null, "sha1_hash": "814d59d765b5a92f67b9d87a41b69058a343d9f0", "title": "SharpTongue Deploys Clever Mail-Stealing Browser Extension \"SHARPEXT\"", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 808851, "plain_text": "SharpTongue Deploys Clever Mail-Stealing Browser Extension\r\n\"SHARPEXT\"\r\nBy mindgrub\r\nPublished: 2022-07-28 · Archived: 2026-04-05 19:33:41 UTC\r\nVolexity tracks a variety of threat actors to provide unique insights and actionable information to its Threat\r\nIntelligence customers. One frequently encountered—that often results in forensics investigations on\r\ncompromised systems—is tracked by Volexity as SharpTongue. This actor is believed to be North Korean in\r\norigin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises\r\nKimsuky is a matter of debate amongst threat intelligence analysts. Some publications refer to North Korean\r\nthreat activity as Kimsuky that Volexity tracks under other group names and does not map back to SharpTongue.\r\nVolexity frequently observes SharpTongue targeting and victimizing individuals working for organizations in the\r\nUnited States, Europe and South Korea who work on topics involving North Korea, nuclear issues, weapons\r\nsystems, and other matters of strategic interest to North Korea.\r\nSharpTongue’s toolset is well documented in public sources; the most recent English-language post covering this\r\ntoolset was published by Huntress in 2021. The list of tools and techniques described in that post are consistent\r\nwith what Volexity has commonly seen for years. However, in September 2021, Volexity began observing an\r\ninteresting, undocumented malware family used by SharpTongue. Within the last year, Volexity has responded to\r\nmultiple incidents involving SharpTongue and, in most cases, has discovered a malicious Google Chrome or\r\nMicrosoft Edge extension Volexity calls “SHARPEXT”.\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 1 of 9\n\nSHARPEXT differs from previously documented extensions used by the “Kimsuky” actor, in that it does not try to\r\nsteal usernames and passwords. Rather, the malware directly inspects and exfiltrates data from a victim’s webmail\r\naccount as they browse it. Since its discovery, the extension has evolved and is currently at version 3.0, based on\r\nthe internal versioning system. It supports three web browsers and theft of mail from both Gmail and AOL\r\nwebmail.\r\nThis blog post describes how SHARPEXT works, how the extension is loaded into browsers, and how the\r\ndifferent components work together.\r\n(Note: The information is this post is available to Volexity Threat Intelligence customers in TIB-20210917 and\r\nTIB-20220616.)\r\nInstallation \u0026 Browser Preferences Modification\r\nSHARPEXT is a malicious browser extension deployed by SharpTongue following successful compromise of a\r\ntarget system. In the first versions of SHARPEXT investigated by Volexity, the malware only supported Google\r\nChrome. The latest version (3.0 based on the internal versioning) supports three browsers (Figure 1):\r\nChrome\r\nEdge\r\nWhale\r\nFigure 1. Supported process names in version 3.0 of SHARPEXT indicating supported browsers for extension\r\ndeployment\r\nThe first two browsers are commonly used around the world, but the third browser, “Whale”, is less well known.\r\nWhale is developed by Naver, a company located in South Korea; it is used almost exclusively by people from\r\nSouth Korea. All three browsers are based on the Chromium engine, so this additional support likely did not\r\nrequire substantial additional development by the attacker.\r\nPrior to deploying SHARPEXT, the attacker manually exfiltrates files required to install the extension (explained\r\nbelow) from the infected workstation. SHARPEXT is then manually installed by an attacker-written VBS script.\r\nThe workflow of the installation script is as follows:\r\n1. Download supporting files:\r\nThe malicious browser extension files\r\nBrowser configuration files\r\nAdditional scripts (pow.ps1 and dev.ps1) to ensure the extension is loaded\r\n2. Run the setup script (pow.ps1).\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 2 of 9\n\nThe full contents of the VBScript are shown in Figure 2.\r\nFigure 2. Deployment script used to download and install the malicious extension\r\nThe first executed script (pow.ps1) kills the current browser process and replaces the “Preferences” and “Secure\r\nPreferences” files with those retrieved from the command-and-control (C2) server. The Secure Preferences file\r\ncontains a known-good state of the user’s profile information. Upon startup of Chromium-based browsers, if the\r\nPreferences files do not match the loaded configuration, the current configuration will be replaced by the contents\r\nof the Secure Preferences file. The Chromium engine has a built-in mechanism that requires the Secure\r\nPreferences file contains a valid “super_mac” value to prevent manual editing of this file. The process to create a\r\nvalid Secure Preferences file outside of the browser is not well documented, but the following resources provide\r\nan overview of the principles required:\r\nAn explanatory post by security company AdLice, explaining how malicious extensions are sometimes\r\ninstalled\r\nA 2020 paper published by students at Chalmers University in Sweden\r\nA Russian-language forum post containing a Perl script explaining how to generate a valid super_mac\r\nvalue\r\nIn summary, the following information must be gathered by the attacker to generate a file that will be accepted by\r\nChromium-based browsers:\r\nA copy of the resources.pak file from the browser (which contains the HMAC seed used by Chrome)\r\nThe user S-ID value\r\nThe original Preferences and Secure Preferences files from the user’s system\r\nThe attacker uses these files to create new Secure Preferences and Preferences files which will be accepted by the\r\nbrowser upon deployment (and retain the existing settings configured by the user, avoiding any confusion on the\r\nusers’ part). Figure 3 shows the new content added to Secure Preferences to load the extension and its parameters.\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 3 of 9\n\nFigure 3. New extension data added to the Secure Preferences file\r\nWith the modified preferences files in place, the browser will automatically load the malicious extension located\r\nin folder “%APPDATA%\\Roaming\\AF”. The extension mostly relies on the “DevTools” permission, which is\r\nset in the extension’s settings (see Figure 1).\r\nThe second PowerShell script (dev.ps1) is described in the next section.\r\nComponent #1: PowerShell Script to Enable DevTools\r\nThe second PowerShell script deployed by the installer, dev.ps1, is used to enable DevTools within the browser tab\r\naccessed by the user. The script runs in an infinite loop checking for processes associated with the targeted\r\nbrowsers. If any targeted browsers are found running, the script checks the title of the tab for a specific keyword\r\n(for example “05101190”, or “Tab+” depending on the SHARPEXT version). The specific keyword is inserted\r\ninto the title by the malicious extension when an active tab changes or when a page is loaded. Then, the script uses\r\na handle to the foreground window to send keystrokes, as shown in Figure 4.\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 4 of 9\n\nFigure 4. Keystrokes sent by dev.ps1 to Chromium-based browsers\r\nThe keystrokes sent are equivalent to Control+Shift+J , the shortcut to enable the DevTools panel. Lastly, the\r\nPowerShell script hides the newly opened DevTools window by using the ShowWindow() API  and the SW_HIDE\r\nflag. At the end of this process, DevTools is enabled on the active tab, but the window is hidden.\r\nIn addition, this script is used to hide any windows that could alert the victim. Microsoft Edge, for example,\r\nperiodically displays a warning message to the user (Figure 5) if extensions are running in developer mode. The\r\nscript constantly checks if this window appears and hides it by using the ShowWindow() and the SW_HIDE flag.\r\nFigure 5. Warning message displayed by Microsoft Edge when SHARPEXT is loaded\r\nComponent #2: DevTools Module\r\nThe DevTools module is composed of two files: dev.html (automatically loading each time DevTools is enabled)\r\nand dev.js (loaded by dev.html). The purpose of the module is to send two types of messages to the component #3\r\n(described in the next section):\r\n“inspect” message: the module sends the tab ID of the current tab; the purpose is to maintain an internal list\r\nof the monitored tabs.\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 5 of 9\n\n“packet” message: the module performs the checks shown in the Figure 6; it sends any matching request\r\nand body to be parsed and exfiltrated.\r\nFigure 6. Filter to identify relevant requests\r\nComponent #3: Chromium Listeners\r\nThe main functionality of the SHARPEXT extension is located in a file named “bg.js” in the root directory. In\r\nearlier versions, the functionality was included directly in the extension. In newer versions, however, most of the\r\ncode is stored on the C2 server; it is downloaded and passed to an eval() statement at the point of execution. This\r\ntechnique of loading the functionality from the C2 at runtime has two main benefits to the attacker:\r\n1. It allows the attacker to dynamically update extension code without deploying new code to the infected\r\nmachine.\r\n2. There is not much obviously malicious code present in the extension itself. This means it is less likely to be\r\ndetected as malicious by antivirus scanning engines.\r\nThe internal mechanism of the extension can be divided into two parts:\r\n1. Add listeners when a tab is activated and when a web page is loaded.\r\n2. Add a listener on runtime messages.\r\nEach part is further described below.\r\nTabs listeners\r\nThe purpose of the tabs listeners is to change the window title of the active tab in order to add the keyword used\r\nby dev.ps1, the PowerShell script described previously. The code appends the keyword to the existing title\r\n(“05101190” or “Tab+”, depending on the version). The keyword is removed when DevTools is enabled on the\r\ntab.\r\nRuntime Messages Listener\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 6 of 9\n\nThe runtime messages listener is used to handle the message sent by the DevTools module described in the\r\nprevious section. The extension can receive two types of messages:\r\n“inspect”: the listener received the tab ID to be inspected\r\n“packet”: the listener received the content of the response request\r\nThe “inspect” message is used to maintain a list of monitored tabs via the DevTools API. The “packet” message is\r\nused to parse the response of the targeted websites. The first versions of the malicious extension encountered by\r\nVolexity only supported Gmail accounts. The latest version supports both Gmail and AOL mail accounts.\r\nThe purpose of the response parsing is to steal email and attachments from a user’s mailbox. The extension can\r\ngenerate web requests to download additional email from the web page. An example of AOL request to retrieve\r\nadditional emails is shown in Figure 7.\r\nFigure 7. AOL requests\r\nThe malicious extension can perform the following requests:\r\nHTTP POST Data Description\r\nmode=list\r\nList previously collected email from the victim to ensure duplicates\r\nare not uploaded. This list is continuously updated as SHARPEXT\r\nexecutes.\r\nmode=domain\r\nList email domains with which the victim has previously\r\ncommunicated. This list is continuously updated as SHARPEXT\r\nexecutes.\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 7 of 9\n\nHTTP POST Data Description\r\nmode=black\r\nCollect a blacklist of email senders that should be ignored when\r\ncollecting email from the victim.\r\nmode=newD\u0026d=[data] Add a domain to the list of all domains viewed by the victim.\r\nmode=attach\u0026name=[data]\u0026idx=\r\n[data]\u0026body=[data]\r\nUpload a new attachment to the remote server.\r\nmode=new\u0026mid=[data]\u0026mbody=\r\n[data]\r\nUpload Gmail data to the remote server.\r\nmode=attlist\r\nCommented by the attacker; receive an attachments list to be\r\nexfiltrated.\r\nmode=new_aol\u0026mid=\r\n[data]\u0026mbody=[data]\r\nUpload AOL data to the remote server.\r\nSHARPEXT uses several global variables to maintain knowledge of its current state and prevent duplication of\r\nstolen data. Information stored in these variables includes, but is not limited to, the following:\r\nLists of email addresses to ignore\r\nLists of email already stolen\r\nLists of the monitored tabs\r\nLists of previously exfiltrated attachments\r\nA summary of the orchestration of the different SHARPEXT components is given in Figure 8:\r\nFigure 8. SHARPEXT process workflow\r\nConclusion \u0026 Mitigations\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 8 of 9\n\nThe use of malicious browser extensions by North Korean threat actors is not new; this tactic has typically been\r\nused to infect users as part of the delivery phase of an attack. However, this is the first time Volexity has observed\r\nmalicious browser extensions used as part of the post-exploitation phase of a compromise. By stealing email data\r\nin the context of a user’s already-logged-in session, the attack is hidden from the email provider, making detection\r\nvery challenging. Similarly, the way in which the extension works means suspicious activity would not be logged\r\nin a user’s email “account activity” status page, were they to review it.\r\nDeployment of SHARPEXT is highly customized, as the attacker must first gain access to the victim’s original\r\nbrowser Security Preferences file. This file is then modified and used to deploy the malicious extension. Volexity\r\nhas observed SharpTongue deploying SHARPEXT against targets for well over a year; and, in each case, a\r\ndedicated folder for the infected user is created containing the required files for the extension.\r\nVolexity has followed the evolution of SHARPEXT due to several engagements handled by its incident response\r\nteam. When Volexity first encountered SHARPEXT, it seemed to be a tool in early development containing\r\nnumerous bugs, an indication the tool was immature. The latest updates and ongoing maintenance demonstrate the\r\nattacker is achieving its goals, finding value in continuing to refine it. Volexity’s own visibility shows the\r\nextension has been quite successful, as logs obtained by Volexity show the attacker was able to successfully steal\r\nthousands of emails from multiple victims through the malware’s deployment.\r\nTo generically detect and investigate attacks such as these, Volexity recommends the following:\r\nBecause PowerShell played a key role in the setup and installation of the malware, enabling and analyzing\r\nthe results of PowerShell ScriptBlock logging could be useful for identification and triage of malicious\r\nactivity.\r\nSecurity teams responsible for defending highly targeted users by this threat actor may consider\r\nperiodically reviewing installed extensions on machines of high risk users to identify those not available on\r\nthe Chrome Web Store or loaded from unusual paths.\r\nTo prevent these specific attacks, Volexity recommends the following:\r\nUse the YARA rules here to detect related activity.\r\nBlock the IOCs listed here.\r\nIf you suspect you have been targeted by SharpTongue, please feel free to contact Volexity.\r\nSource: https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nhttps://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/" ], "report_names": [ "sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434128, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/814d59d765b5a92f67b9d87a41b69058a343d9f0.pdf", "text": "https://archive.orkl.eu/814d59d765b5a92f67b9d87a41b69058a343d9f0.txt", "img": "https://archive.orkl.eu/814d59d765b5a92f67b9d87a41b69058a343d9f0.jpg" } }