Malware

Silent Swap

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques

T1059Command and Scripting InterpreterEvidence1

The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility.

T1204User ExecutionEvidence1

The attack, however, hinges on enabling the developer mode for newer versions of the browsers, something that a threat actor can accomplish through social engineering tactics.

T1204.002Malicious FileEvidence1

The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility.

Stealth

1 technique

T1070Indicator RemovalEvidence1

the installer is self-deleted after execution, effectively removing an indicator of initial compromise.

Collection

2 techniques

T1115Clipboard DataEvidence1

The end goal of the extension is to act as a clipper that's capable of intercepting and manipulating wallet addresses copied into the system clipboard with the goal of rerouting the funds to an attacker-controlled wallet.

T1185Browser Session HijackingEvidence1

Command and Control

2 techniques

T1102.001Dead Drop ResolverEvidence1

What makes Silent Swap stand apart is the use of a technique called EtherHiding that uses the blockchain as a dead drop resolver to retrieve the active command-and-control (C2) server details.

T1105Ingress Tool TransferEvidence1

The unsigned .NET installer, named BaseZipInstaller, is designed to retrieve a ZIP archive, which serves as a foundation for the malicious browser extension

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in apptoday

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Jun 30, 2026

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

A cryptocurrency clipper campaign delivered via unsigned .NET and Golang installers that covertly installs a malicious Chromium extension masquerading as 'Google Notes.' It intercepts copied wallet addresses, queries attacker infrastructure for a replacement address, and swaps in attacker-controlled cryptocurrency wallets. It uses EtherHiding to retrieve C2 details via blockchain-based dead drop resolution and modifies Chromium Secure Preferences/Preferences files to persist and evade detection.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.