{
	"id": "9d52d27b-3d44-4e02-8190-9b64e4b9f2f8",
	"created_at": "2026-04-06T00:18:29.196269Z",
	"updated_at": "2026-04-10T03:24:23.780093Z",
	"deleted_at": null,
	"sha1_hash": "fae8bfb634715fd6ea1ab1de73085be70e7f88db",
	"title": "Browser Pivoting",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 32197,
	"plain_text": "Browser Pivoting\r\nArchived: 2026-04-05 21:18:55 UTC\r\nMalware like Zeus and its variants inject themselves into a user’s browser to steal banking information. This is a\r\nman-in-the-browser attack. So-called, because the attacker is injecting malware into the target’s browser.\r\nOverview\r\nMan-in-the-browser malware uses two approaches to steal banking information. They either capture form data as\r\nit’s sent to a server. For example, malware might hook PR_Write in Firefox to intercept HTTP POST data sent by\r\nFirefox. Or, they inject JavaScript onto certain webpages to make the user think the site is requesting information\r\nthat the attacker needs.\r\nCobalt Strike offers a third approach for man-in-the-browser attacks. It lets the attacker hijack authenticated web\r\nsessions—all of them. Once a user logs onto a site, an attacker may ask the user’s browser to make requests on\r\ntheir behalf. Since the user’s browser is making the request, it will automatically re-authenticate to any site the\r\nuser is already logged onto. I call this a browser pivot—because the attacker is pivoting their browser through the\r\ncompromised user’s browser.\r\nfigure 63 - Browser Pivoting in Action\r\nCobalt Strike’s implementation of browser pivoting for Internet Explorer injects an HTTP proxy server into the\r\ncompromised user’s browser. Do not confuse this with changing the user’s proxy settings. This proxy server does\r\nnot affect how the user gets to a site. Rather, this proxy server is available to the attacker. All requests that come\r\nthrough it are fulfilled by the user’s browser.\r\nSource: https://www.cobaltstrike.com/help-browser-pivoting\r\nhttps://www.cobaltstrike.com/help-browser-pivoting\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.cobaltstrike.com/help-browser-pivoting"
	],
	"report_names": [
		"help-browser-pivoting"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434709,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fae8bfb634715fd6ea1ab1de73085be70e7f88db.pdf",
		"text": "https://archive.orkl.eu/fae8bfb634715fd6ea1ab1de73085be70e7f88db.txt",
		"img": "https://archive.orkl.eu/fae8bfb634715fd6ea1ab1de73085be70e7f88db.jpg"
	}
}