{ "id": "2188563a-fd48-4238-8de9-d3cb2e971ef8", "created_at": "2026-04-06T00:06:49.10136Z", "updated_at": "2026-04-10T13:11:59.611969Z", "deleted_at": null, "sha1_hash": "96c33e1d3d8de4196531a4464882df6de2b74813", "title": "Cyber-espionage group uses Chrome extension to infect victims", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48259, "plain_text": "Cyber-espionage group uses Chrome extension to infect victims\r\nBy Catalin Cimpanu\r\nPublished: 2018-12-05 ยท Archived: 2026-04-05 23:20:00 UTC\r\nIn what appears to be a first on the cyber-espionage scene, a nation-state-backed hacking group has used a Google\r\nChrome extension to infect victims and steal passwords and cookies from their browsers.\r\nThis is the first time an APT (Advanced Persistent Threat --an industry term for nation-state hacking groups) has\r\nbeen seen (ab)using a Chrome extension, albeit it's not the first time one has used a browser extension, as the\r\nRussian-linked Turla APT previously used a Firefox add-on in 2015 [1, 2].\r\nAccording to a report that's going to be published later today by the ASERT team at Netscout reveals the details of\r\na spear-phishing campaign that's been pushing a malicious Chrome extension since at least May 2018.\r\nHackers used spear-phishing emails to lure victims on websites copied from legitimate academic organizations.\r\nThese phishing sites, now down, showed a benign PDF document but prevented users from viewing it, redirecting\r\nvictims to the official Chrome Web Store page to install a (now removed) Chrome extension named Auto Font\r\nManager.\r\nkimsuky-apt.jpg\r\nImage: Mr. J0hn D0ugh\r\nNetscout researchers say the extension had the ability to steal both cookies and site passwords, but they've also\r\nseen email forwarding on some compromised accounts.\r\nSpeaking to ZDNet, Netscout researchers said the spear-phishing campaigns using this Chrome extension targeted\r\nthe academic sector but did not want to give out the names of the victims just yet.\r\n\"We've identified three universities based in the United States and one non-profit institution based in Asia [that]\r\nwe're certain to have been targeted,\" researchers told us.\r\n\"A large number of the victims, across multiple universities, had expertise in biomedical engineering, possibly\r\nsuggesting a motivation for the attackers' targeting,\" researchers added separately, in their report.\r\nBut while looking into this recent attacks, researchers also discovered that the same infrastructure that hosted\r\nthese phishing sites had also been previously used in another hacking campaign that relied on breaking into\r\nuniversities' networks via Remote Desktop Connections (RDP) connections.\r\nNetscout told ZDNet that \"the two separate threads of activity have shared infrastructure and overlapping victims,\r\nbut it's unclear which came first.\"\r\nInvestigators also added that the people behind this recent campaign, which Netscout named Stolen Pencil, have\r\nbeen very sloppy when it came to hiding their tracks. Researchers said they found evidence suggesting that the\r\nhttps://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/\r\nPage 1 of 2\n\ngroup may be based in North Korea.\r\n\"Poor OPSEC led to users finding open web browsers in Korean, English-to-Korean translators open, and\r\nkeyboards switched to Korean language settings,\" researchers said.\r\nBut while Netscout researchers didn't want to link this campaign to a specific North Korean APT (Advanced\r\nPersistent Threat --an industry term for nation-state hacking groups), multiple industry sources to whom ZDNet\r\nshowed the Chrome extension file hashes yesterday pointed us to a cyber-espionage group known as Kimsuky\r\n(also known as Velvet Chollima).\r\nA 2013 Kaspersky Lab report presented evidence linking the group to North Korea's regime. The same report also\r\ndetailed Kimsuky's propensity for going after academic targets, the same ones targeted with this most recent\r\ncampaign.\r\nAs for what the hackers were after, Netscout researchers told ZDNet that they've \"seen no evidence of data theft,\r\nbut like any intrusion, we can't entirely discount the possibility. None of the tools or commands were specifically\r\ngeared towards stealing information - they were focused on credential theft and maintaining access.\"\r\nUniversities have always been an attractive target for nation-state hackers, especially those looking for proprietary\r\ninformation or unreleased research. While both Chinese and Russia state hackers have been known to go after the\r\nacademic sector on a regular basis, Iranian hackers have been the most active of the bunch.\r\nEarlier this year in March, the US indicted 10 Iranians for hacks against 320 universities in 22 countries, 144 of\r\nwhich were in the US. Some of the research papers the hackers stole were eventually published online on pay-for-access portals operated by some of the indicted hackers, who, apparently, found a way to generate side profits\r\nfrom their day-to-day state-sponsored hacking campaigns. The indictments didn't stop Iranian hackers from their\r\nattacks, though.\r\nMore security coverage:\r\nCzech Republic blames Russia for multiple government network hacks\r\nUkrainian police arrest hacker who infected over 2,000 users with DarkComet RAT\r\nNew industrial espionage campaign leverages AutoCAD-based malware\r\nThe CoAP protocol is the next big thing for DDoS attacks\r\nAtlanta ransomware attack hit 'mission critical' systems CNET\r\nFBI dismantles gigantic ad fraud scheme operating across over one million IPs\r\nHackers are opening SMB ports on routers so they can infect PCs with NSA malware\r\nBanking trojans, not ransomware, are the biggest threat now TechRepublic\r\nSource: https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/\r\nhttps://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/" ], "report_names": [ "cyber-espionage-group-uses-chrome-extension-to-infect-victims" ], "threat_actors": [ { "id": "a02bb810-5dd2-46c1-a609-b44d984d96d0", "created_at": "2022-10-25T15:50:23.505735Z", "updated_at": "2026-04-10T02:00:05.398328Z", "deleted_at": null, "main_name": "Stolen Pencil", "aliases": [ "Stolen Pencil" ], "source_name": "MITRE:Stolen Pencil", "tools": [ "Mimikatz", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-10T02:00:05.305572Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "schtasks", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-10T02:00:03.062424Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "Emerald Sleet", "THALLIUM", "Springtail", "Sparkling Pisces", "Thallium", "Operation Stolen Pencil", "APT43", "Velvet Chollima", "Black Banshee" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark", "RevClient" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-10T02:00:03.846812Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-10T02:00:04.73769Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434009, "ts_updated_at": 1775826719, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/96c33e1d3d8de4196531a4464882df6de2b74813.pdf", "text": "https://archive.orkl.eu/96c33e1d3d8de4196531a4464882df6de2b74813.txt", "img": "https://archive.orkl.eu/96c33e1d3d8de4196531a4464882df6de2b74813.jpg" } }