Rilide is a Chromium-based information-stealing malware family implemented as a malicious browser extension. It was first publicly reported by SpiderLabs in April 2023 and has been described by Mandiant as part of a broader email- and cryptocurrency-theft ecosystem. Rilide targets Chromium-based browsers and can be force-loaded for persistence via tampered Windows LNK shortcut files that launch a legitimate browser with the --load-extension switch; this technique applies to browsers such as Chrome, Brave, Microsoft Edge, Opera, and Vivaldi.
Observed capabilities include monitoring visited URLs, capturing screenshots of browser tabs, injecting remote JavaScript into selected websites, logging passwords, and collecting credentials including cryptocurrency wallet data. In one investigated intrusion chain, a TradingView-themed lure delivered the BRAINFOG dropper, which installed Rilide, killed running Chrome processes, replaced Chrome shortcuts, and configured the browser to load the extension invisibly. Mandiant also identified BRAINSTORM, a Rust-based dropper, and BRAINLINK, an Advanced Installer-compiled dropper, as associated with Rilide delivery.
Rilide communicates with command-and-control infrastructure to initialize infected hosts and retrieve targeting data. During execution it was observed calling /api/machine/init to obtain a machine identifier and a monitored-domain list, and re-fetching monitored domains every five minutes. Using DOMContentLoaded-triggered logic, it can request domain-to-script mappings from C2 and inject remote scripts such as coinbase.js, binance.js, gmail.js, hotmail.js, yahoo.js, bybit.js, and okx.js when victims browse targeted services. Reported targeted domains include coinbase.com, binance.com, blockchain.com, mail.google, outlook.live, mail.yahoo, bybit.com, and okx.com.
High-confidence infrastructure and delivery details mentioned in the content include C2/API paths at extenision-app[.]com/api/settings, /api/machine/, /api/machine/init, and /api/machine/get-urls, as well as a sample using the C2 domain ashgrrwt[.]click. One delivery chain downloaded a dropper from telegromcn[.]org/soft/analytics/extension[.]exe, and another referenced raw.githubusercontent[.]com/gulantin/blanks/main/blanks_online.exe. Mandiant reported financially motivated intrusions involving this methodology in 2023 affecting organizations in semiconductor, business marketing, financial investment, and telecom sectors.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
11 distinct techniques documented for this family, organized by ATT&CK tactic.
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as an information-stealing browser extension (mentioned as a top blog topic).
Information-stealing malware delivered and operating as a malicious Chromium browser extension; steals credentials (including crypto wallet credentials), logs passwords, and takes screenshots. Delivered via malvertising/phishing with a loader that installs the extension; observed impersonating Google Drive and Palo Alto extensions.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.