Mandiant reported a stealthy intrusion technique that used modified Windows .lnk shortcut files to launch legitimate Chromium-based browsers with a malicious extension loaded through the --load-extension switch. The approach allowed threat actors to maintain persistence while hiding activity behind normal browser execution, enabling theft of credentials, email data, and cryptocurrency-related information. Mandiant linked the method to multiple financially motivated intrusions in 2023 affecting organizations in the semiconductor, business marketing, financial investment, and telecom sectors.
In one investigated campaign, a lure posing as TradingView Desktop delivered the BRAINFOG dropper, which installed the RILIDE browser extension, replaced Chrome shortcuts, and monitored access to services including Coinbase, Binance, Gmail, Outlook, Yahoo Mail, Bybit, and OKX. Mandiant also identified BRAINLINK as another dropper used to deliver RILIDE through a GitHub-hosted sample, and said infrastructure overlap tied the activity to the RILIDE command-and-control domain ashgrrwt[.]click and registrant organization Kruglova LTD.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Mandiant publicly documented the intrusion methodology in which modified Windows shortcut files launch legitimate Chromium-based browsers with the --load-extension switch to invisibly load malicious extensions such as RILIDE.
Mandiant identified BRAINLINK as another dropper associated with delivering RILIDE, including a GitHub-hosted sample, and noted infrastructure overlap involving the RILIDE C2 domain ashgrrwt[.]click and registrant organization Kruglova LTD.
In one investigated intrusion chain in 2023, a lure masquerading as TradingView Desktop delivered the BRAINFOG dropper, which installed the RILIDE browser extension, replaced Chrome shortcuts, and monitored services including Coinbase, Binance, Gmail, Outlook, Yahoo Mail, Bybit, and OKX.
During 2023, multiple intrusions targeted organizations in the semiconductor, business marketing, financial investment, and telecom sectors using tampered Windows LNK shortcut files to launch Chromium-based browsers with malicious extensions for stealthy persistence and theft.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
1 reference tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.