{
	"id": "a6cf4c51-a45c-4c24-bd10-f97f0ca72f7f",
	"created_at": "2026-04-06T00:06:49.051906Z",
	"updated_at": "2026-04-10T03:21:34.43137Z",
	"deleted_at": null,
	"sha1_hash": "b93ecad6151833239cffd077d3dafa9376567c34",
	"title": "lnkr/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md at master · Zenexer/lnkr",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63735,
	"plain_text": "lnkr/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md\r\nat master · Zenexer/lnkr\r\nBy Zenexer\r\nArchived: 2026-04-05 21:36:55 UTC\r\nExtension analysis\r\nID\r\nfanagokoaogopceablgmpndejhedkjjb\r\nName\r\nFlash Playlist\r\nVersion\r\n1.2.0\r\nThis extension is a modified, likely unauthorized clone of fnipglnbhfacfmefbgiiodalehbcgcbm . The malicious clone has\r\nsince been removed from the Chrome Web Store.\r\nFlow\r\nUnix timestamps have been replaced with [timestamp]\r\n1. manifest.json specifies background.js as a background script\r\n2. manifest.json specifies content_page.js as a content script, which appears to be a standard Mixpanel script\r\n3. background.js performs an ajax request for http://flashplaylist.com/api/?\r\naction=params\u0026id=fanagokoaogopceablgmpndejhedkjjb\u0026version=1.2.0\r\n4. background.js stores the result in Chrome local storage via chrome.storage.local.set ; the result includes a\r\nvalue for MIXPANEL_CUSTOM_LIB_URL\r\n5. User visits an arbitrary website\r\n6. content_page.js injects a \u003cscript\u003e tag for the script specified in local storage for MIXPANEL_CUSTOM_LIB_URL ,\r\nwhich is //serenityart.biz/1f7cbb02d08cf61dbb.js\r\n7. 1f7cbb02d08cf61dbb.js performs a JSONP request for https://serenityart.biz/optout/get?\r\njsonp=__twb_cb_6375332\u0026key=1f7cbb02d08cf61dbb\u0026t=[timestamp]\r\n8. 1f7cbb02d08cf61dbb.js loads several tracking GIFs based on the page load status in the form of\r\nhttps://serenityart.biz/metric/?mid=\u0026wid=52096\u0026sid=\u0026tid=8060\u0026rid=\r\n[rid]\u0026custom1=netops.is\u0026custom2=/\u0026custom3=serenityart.biz\u0026t=[timestamp] , where [rid] is each of:\r\n1. LOADED\r\n2. FINISHED\r\n3. BEFORE_OPTOUT\r\n4. LAUNCHED\r\n9. 1f7cbb02d08cf61dbb.js performs JSONP requests for:\r\n1. https://serenityart.biz/optout/set/lat?jsonp=__twb_cb_699176887\u0026key=1f7cbb02d08cf61dbb\u0026cv=\r\n[timestamp]\u0026t=[timestamp]\r\nhttps://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md\r\nPage 1 of 2\n\n2. https://serenityart.biz/optout/set/lt?jsonp=__twb_cb_903372803\u0026key=1f7cbb02d08cf61dbb\u0026cv=6\u0026t=\r\n[timestamp]\r\n10. injects a \u003cscript\u003e tag for https://srvvtrk.com/91a2556838a7c33eac284eea30bdcc29/validate-site.js?\r\nuid=52096x8060x\u0026r=[timestamp]\r\n11. injects a \u003cscript\u003e tag for https://serenityart.biz/addons/lnkr5.min.js\r\n12. performs loads several additional tracking GIFs in the form of https://serenityart.biz/metric/?mid=\r\n[mid]\u0026wid=52096\u0026sid=\u0026tid=8060\u0026rid=[rid]\u0026t=[timestamp] , where [mid] and [rid] are each of:\r\n1. mid=18918 , rid=MNTZ_INJECT\r\n2. mid= , rid=OPTOUT_RESPONSE_OK\r\n3. mid=cd1d2 , rid=MNTZ_INJECT\r\n4. mid=18918 , rid=MNTZ_LOADED\r\n5. mid=90f06 , rid=MNTZ_INJECT\r\n6. mid=cd1d2 , rid=MNTZ_LOADED\r\n7. mid=90f06 , rid=MNTZ_LOADED\r\nResponses\r\nhttp://flashplaylist.com/api/\r\n{\r\n\"analyticsId\": \"UA-108823706-1\",\r\n\"mixpanelId\": \"58410f8ab299e0eb2b736f6e233eda37\",\r\n\"vars\": {\r\n\"MIXPANEL_CUSTOM_LIB_URL\": \"\\/\\/serenityart.biz\\/1f7cbb02d08cf61dbb.js\"\r\n},\r\n\"validateFields\": null\r\n}\r\nhttps://serenityart.biz/optout/get\r\n__twb_cb_6375332({\r\n\"success\": \"1\",\r\n\"targeting\": \"0\",\r\n\"country\": \"US\",\r\n\"userId\": \"64\",\r\n\"strTm\": \"[timestamp]\",\r\n\"lt\": \"0\",\r\n\"lat\": \"[timestamp]\",\r\n\"limits\": \"\",\r\n\"lcFlag\": \"\",\r\n\"optout\": \"\"\r\n});\r\nSource: https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md\r\nhttps://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md"
	],
	"report_names": [
		"README.md"
	],
	"threat_actors": [],
	"ts_created_at": 1775434009,
	"ts_updated_at": 1775791294,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b93ecad6151833239cffd077d3dafa9376567c34.pdf",
		"text": "https://archive.orkl.eu/b93ecad6151833239cffd077d3dafa9376567c34.txt",
		"img": "https://archive.orkl.eu/b93ecad6151833239cffd077d3dafa9376567c34.jpg"
	}
}