{ "id": "bdb9d7dc-f45b-4904-826e-a41fe4257436", "created_at": "2026-04-06T00:07:26.932014Z", "updated_at": "2026-04-10T03:37:08.889256Z", "deleted_at": null, "sha1_hash": "f8eff5569f73e75ceffbed168ac8bf7f7b8db816", "title": "CopperStealer Distributes Malicious Chromium-based Browser Extension to Steal Cryptocurrencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 253887, "plain_text": "CopperStealer Distributes Malicious Chromium-based Browser\r\nExtension to Steal Cryptocurrencies\r\nBy Jaromir Horejsi, Joseph C Chen ( words)\r\nPublished: 2022-08-11 · Archived: 2026-04-05 23:13:20 UTC\r\nMalware\r\nWe tracked the latest deployment of the group behind CopperStealer, this time stealing cryptocurrencies and users’\r\nwallet account information via a malicious Chromium-based browser extension.\r\nBy: Jaromir Horejsi, Joseph C Chen Aug 11, 2022 Read time: 7 min (1756 words)\r\nSave to Folio\r\nUpdate (8/12/2022 2:05AM EST): We have updated the list of IOCs and detections.\r\nWe published our analyses on CopperStealer distributing malware by abusing various components such as\r\nbrowser stealer, adware browser extension, or remote desktop. Tracking the cybercriminal group’s latest activities,\r\nwe found a malicious browser extension capable of creating and stealing API keys from infected machines when\r\nthe victim is logged in to a major cryptocurrency exchange website. These API keys allow the extension to\r\nperform transactions and send cryptocurrencies from victims’ wallets to the attackers’ wallets.\r\nSimilar to previous routines, this new component is spread via fake crack (also known as warez) websites. The\r\ncomponent is usually distributed in one dropper together with a browser stealer and bundled with other unrelated\r\npieces of malware. This bundle is compressed into a password-protected archive and has been distributed in the\r\nwild since July.\r\nDropper/Extension installer\r\nThis component uses the same cryptor described in previous posts in the first stage, followed by the second stage\r\nwherein the decrypted DLL is Ultimate Packer Executables-(UPX) packed. After decrypting and unpacking, we\r\nnoticed a resource directory named CRX containing a 7-Zip archive. Malicious Chrome browser extensions are\r\nusually packaged this way.\r\nFigure 1. Extension installer called CRX containing a 7-Zip archive\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 1 of 8\n\nThe archive contains a JSON file with settings and another 7-Zip archive with the code of the extension installer\r\nitself.\r\nFigure 2. Unpacked content of CRX\r\nThe extension installer first modifies the files Preferences and Secure Preferences in the Chromium-based\r\nbrowser‘s User Data directory. The file, named Preferences, is in JSON format and contains individual user\r\nsettings. The extension installer switches off browser notifications.\r\nMeanwhile, the file named Secure Preferences is also in JSON format and contains the installed extension’s\r\nsettings. For a newly installed extension, the content of crx.json file is inserted into this Secure Preferences\r\nsettings file. A newly installed extension is also added to the extension installation allow list located in the registry.\r\nThe files from the crx.7z archive are then extracted into the extension’s directory located in \u003cUser\r\nData\\Default\\Extension\u003e. Finally, the browser restarts so the newly installed extension becomes active. We\r\nanalyzed that the targeted browsers are Chromium-based and include:\r\nChrome\r\nChromium\r\nEdge\r\nBrave\r\nOpera\r\nCốc Cốc\r\nCentBrowser\r\nIridium\r\nVivaldi\r\nEpic\r\nCoowon\r\nAvast Secure Browser\r\nOrbitum\r\nComodo Dragon\r\nWe also noted that the extension was installed to the victims’ browsers with two different extension IDs, and\r\nneither can be found on the official Chrome Web Store:\r\ncbnmkphohlaaeiknkhpacmmnlljnaedp\r\njikoemlnjnpmecljncdgigogcnhlbfkc\r\nAnalysis of the extension\r\nAfter the extension’s installation, we also noticed the following newly installed extension in chrome://extensions/.\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 2 of 8\n\nFigure 3. Installed malicious extension\r\nThe extension manifest defines two Java Scripts. The background script is named background.js and runs inside\r\nthe extension itself in only one instance. Meanwhile, the content script is called content.js and runs in the context\r\nof coinbase.com, as shown in snippet from the extension manifest.\r\nFigure 4. Settings of the content script as specified in the extension manifest\r\nScript obfuscation\r\nBoth Javascript files are heavily obfuscated. In the first obfuscation step, all strings are split into substrings, stored\r\nin a single array, and access to the array is achieved by calling multiple hexadecimal-named functions with five\r\nhexadecimal integer parameters.\r\nFigure 5. The first layer of obfuscation\r\nLooking at the second obfuscation step, all the strings, logic operators (+, -, *, /), function calls, among others are\r\ninserted into an array of objects. Each object has a random string as a name, and either another string or function\r\nas a value. In the example we analyzed, _0x1f27e3['PFPYr'] corresponds to string “set”, and _0x1f27e3['LYLfc']\r\n(0,1) corresponds to the logic expression 0!=1.\r\nFigure 6. The second layer of obfuscation\r\nBoth obfuscation steps can be deobfuscated by using custom automation scripts.\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 3 of 8\n\nBackground script analysis\r\nAnalyzing the scripts, this section breaks down how the cybercriminals are able to steal the account information of\r\nlegitimate cryptocurrency wallet users. When the extension starts, the background script makes two queries. The\r\nfirst one is a GET request to http://\u003cC\u0026C server\u003e/traffic/chrome, likely for statistical purposes. The second query\r\nis a POST request to http:// \u003cC\u0026C server\u003e/traffic/domain, wherein the data contains the domains of\r\ncryptocurrency-related websites based on the cookies found in the machine:\r\nblockchain.com\r\ncoinbase.com\r\nbinance.com\r\nftx.com\r\nokex.com\r\nhuobi.com\r\nkraken.com\r\npoloniex.com\r\ncrypto.com\r\nbithumb.com\r\nbitfinex.com\r\nkucoin.com\r\ngate.io\r\ntokocrypto.com\r\ntabtrader.com\r\nmexc.com\r\nlbank.info\r\nhotbit.io\r\nbit2me.com\r\netoro.com\r\nnicehash.com\r\nprobit.com\r\nThen the extension defines an array of the threat actor’s addresses for various cryptocurrencies and tokens for:\r\nTether (USDT, specifically in Ethereum ERC20 and TRON TRC20)\r\nEthereum (ETH)\r\nBitcoin (BTC)\r\nLitecoin (LTC)\r\nBinance coin (BNB)\r\nRipple (XRP)\r\nSolana (SOL)\r\nBitcoin Cash (BCH)\r\nZcash (ZEC)\r\nStellar Lumens (XLM)\r\nDogecoin (DOGE)\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 4 of 8\n\nTezos (XTZ)\r\nAlgorand (ALGO)\r\nDash (DASH)\r\nCosmos (ATOM)\r\nFor ETH addresses, the script hardcodes about 170 additional ERC20-based tokens. Afterward, the extension\r\nstarts onMessage listener to listen for messages sent from either an extension process  or a content script. The\r\nmessage is in JSON format, with one of the name-value pair called method. The background script listens for the\r\nfollowing methods:\r\nMethod “homeStart”\r\nThis method tries to obtain the API key (apiKey) and API secret (apiSecret) from Chrome’s local storage if these\r\nkey-secret pairs were previously obtained and saved. These parameters are needed for the following steps:\r\nUses the API to get information about wallets, addresses, and balances by requesting /api/v2/accounts. The\r\nresult of this request is also exfiltrated to http://\u003cC\u0026C server\u003e/traffic/step.\r\nIf the request is successful, the API sends “okApi” message to content script and starts parsing for wallet\r\ninformation. If the wallet balance is non-zero, it attempts to send 85% of the available funds to the\r\nattacker-controlled wallet.\r\nFigure 7. Looking for wallets with non-zero balance\r\nFigure 8. Stealing 85% of available funds\r\nThe result of the transaction request is also exfiltrated to http://\u003cC\u0026C server\u003e/traffic/step.\r\nIf not successful, the API sends a “errorApi” message to the content script. The “errorApi” message\r\ncontains a CSRF token from https://www.coinbase.com/settings/api as one parameter, and a response to the\r\nnew API key creation request.\r\nMethod “createApi”\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 5 of 8\n\nThis message is received from the content script and contains a two-factor authentication (2FA) code as one of the\r\nparameters. This code is used for opening a new modal window for creating API keys. Typically, when you click\r\non “+New API Key” in the Coinbase API settings, a 2FA code is requested and if the code is correct, the modal\r\nwindow appears.\r\nIn the second step of the new API creation, one needs to select wallets and their permissions. The malicious\r\nextension requests all the available permissions for all accounts.\r\nFigure 9. Selecting all accounts and permissions\r\nAfterward, one needs to insert one more authentication code and a form with the newly generated API keys is\r\ndisplayed. If successful, the background script then continues with extracting two API keys (API Key and API\r\nSecret) from the “API key details” form, saves them to Chromium’s local storage for later use, and exfiltrates\r\nthem to http://\u003cC\u0026C server\u003e/traffic/step. If API authentication is not successful, a “retryApi” message is sent to\r\ncontent script.\r\nContent script analysis\r\nWe looked further into the content script to analyze the routine responsible for stealing the 2FA passwords from\r\nthe victims. The content script contains a list of messages in the following languages: \r\nEnglish (en)\r\nGerman (de)\r\nSpanish (es)\r\nFrench (fr)\r\nJapanese (jp)\r\nIndonesia (id)\r\nItalian (it)\r\nPolish (pl)\r\nPortuguese (pt)\r\nRussian (ru)\r\nThai (th)\r\nTurkish (tr)\r\nEach message contains a title, description, and error message for both phone and authenticator.\r\nFor “phone,” displayed messages in English appear as:\r\n“title”: “Please enter the verification code from your phone.”\r\n“description”: “Enter the two-step verification code provided by SMS to your phone.\r\n“message”: “That code was invalid. Please try again.”\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 6 of 8\n\nFor “authenticator,” displayed messages in English look like:\r\n“title”: “Please enter the verification code from your authenticator.”\r\n “description”: “Enter the 2-step verification code provided by your authentication app.”\r\n “message”: “That code was invalid. Please try again.”\r\nThe content script initially makes a request to /api/v3/brokerage/user_configuration to see if a user is logged in or\r\nnot. The script then sends a “homeStart” message to the background script and starts listening using onMessage to\r\nlisten for “method” attributes similar to the background script routine. If it receives a message with a method\r\nattribute equal to “okApi”, it hides the code loader and removes the modal window. If it receives a message with a\r\nmethod attribute equal to “errorApi” it then creates a modal window.\r\nFigure 10. Displayed modal window asking for entering authentication code\r\nThe modal window has input boxes and listens for oninput events. If each of the input boxes contains one digit,\r\nthey are concatenated into one “tfa” (2FA) variable and sent as a parameter of “createApi” message to the\r\nbackground script. The code loader is also shown.\r\nThe modal window has six input boxes for six digits, provided when using an authenticator. If the victim uses an\r\nauthentication via SMS, then the authentication code has seven digits, and the modal window will have one more\r\ninput box. This logic is implemented in the modal window code. The received message with method attribute\r\nequal to “retryApi” deletes all inserted digits and displays an error message in red.\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 7 of 8\n\nFigure 11. After the authentication code is entered, an error message appears\r\nConclusion\r\nThe cybercriminals behind CopperStealer are far from stopping anytime soon, and we continue monitoring their\r\ndeployments as they find more ways to target unwitting victims. While analyzing this routine, we found multiple\r\nsimilarities between this extension and the previously reported malware components, one of which is that the\r\nmalicious extension and CopperStealer were distributed from the same dropper and by the same delivery vector\r\nthat we have documented previously.\r\nAnother striking similarity is the malicious extension’s command and control (C\u0026C) domain having the same\r\nformat as the Domain Generation Algorithm (DGA) domains tracked back as belonging to the previous versions\r\nof CopperStealer. The format is a string composed of 16 hexadecimal characters. Moreover, both of their C\u0026C\r\nservers were constructed with the PHP framework “CodeIgniter.” These attributes hint to us that the developers or\r\noperators behind the malware and the extension could be associated.\r\nUsers and organizations are advised to download their software, applications, and updates from the official\r\nplatforms to mitigate the risks and threats brought by malware like CopperStealer. Teams are advised to keep their\r\nsecurity solutions patched to ensure that detection and prevention solutions can protect systems from possible\r\nmultiple attacks and infections.\r\nIndicators of Compromise (IOCs)\r\nYou will find the list of the IOCs hereopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurren\r\ncies.html\r\nhttps://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/h/copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html" ], "report_names": [ "copperstealer-distributes-malicious-chromium-browser-extension-steal-cryptocurrencies.html" ], "threat_actors": [ { "id": "0661a292-80f3-420b-9951-a50e03c831c0", "created_at": "2023-01-06T13:46:38.928796Z", "updated_at": "2026-04-10T02:00:03.148052Z", "deleted_at": null, "main_name": "IRIDIUM", "aliases": [], "source_name": "MISPGALAXY:IRIDIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "75455540-2f6e-467c-9225-8fe670e50c47", "created_at": "2022-10-25T16:07:23.740266Z", "updated_at": "2026-04-10T02:00:04.732992Z", "deleted_at": null, "main_name": "Iridium", "aliases": [], "source_name": "ETDA:Iridium", "tools": [ "CHINACHOPPER", "China Chopper", "LazyCat", "Powerkatz", "SinoChopper", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434046, "ts_updated_at": 1775792228, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f8eff5569f73e75ceffbed168ac8bf7f7b8db816.pdf", "text": "https://archive.orkl.eu/f8eff5569f73e75ceffbed168ac8bf7f7b8db816.txt", "img": "https://archive.orkl.eu/f8eff5569f73e75ceffbed168ac8bf7f7b8db816.jpg" } }