Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
Malware

Google Notes

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Reconnaissance

1 technique
T1598Phishing for InformationEvidence1

Attackers can try to talk users into enabling developer mode.

Persistence

2 techniques
T1112Modify RegistryEvidence1

It bypasses standard browser store approval by directly modifying browser preference files, allowing it to load without the user's explicit consent.

T1176Software ExtensionsEvidence1

This type of attack, known as clipper malware, is delivered through a malicious extension installed on Chromium-based browsers.

Stealth

1 technique
T1036MasqueradingEvidence1

A malicious browser extension that hides behind the name “Google Notes” ... The extension presents itself as a simple note-taking tool.

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

It bypasses standard browser store approval by directly modifying browser preference files, allowing it to load without the user's explicit consent.

Collection

1 technique
T1115Clipboard DataEvidence2

The extension presents itself as a note-taking tool but secretly monitors and alters copied cryptocurrency wallet addresses before they are pasted into payment fields.

Command and Control

2 techniques
T1071Application Layer ProtocolEvidence1

The attackers have also implemented a remote control method that retrieves command server domains from public blockchain smart contracts, making detection and blocking more challenging.

T1568Dynamic ResolutionEvidence1

The extension can query a public blockchain smart contract to retrieve its active backend domain, with domains including devops-offensive(.)cc and Zebregts(.)com recorded during analysis.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.