Researchers uncovered multiple browser-extension campaigns that abused clipboard access to steal sensitive data and cryptocurrency. Socket found that Chrome and Firefox extensions branded as VPN Go: Free VPN initially behaved like legitimate proxy tools before later updates added clipboard monitoring, data chunking, session tagging, and HTTP exfiltration to hardcoded attacker-controlled IP addresses. The Chrome extension turned malicious in version 1.1, while the Firefox add-on first did so in version 1.3.3, indicating a staged update strategy designed to retain users while covert theft ran in parallel.
A separate campaign tracked as Silent Swap used unsigned installers to deploy a fake Google Notes Chromium extension that replaced copied wallet addresses with attacker-controlled ones, enabling cryptocurrency theft across multiple coins. McAfee said the malware modified Chromium preference files and recalculated integrity values to avoid detection, while using EtherHiding and blockchain-based dead-drop resolution to fetch command-and-control details; the activity also overlaps with CountLoader, suggesting a shared operator. Google and Mozilla were notified about the malicious VPN-themed extensions, and users who copied passwords, wallet addresses, or other secrets while the add-ons were installed are advised to treat that data as compromised.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
McAfee said Silent Swap overlaps with earlier CountLoader activity, suggesting the same threat actor, and noted the campaign uses EtherHiding for blockchain-based dead drop resolution of command-and-control details.
McAfee described an active campaign dubbed Silent Swap that uses unsigned installers to deploy a malicious Chromium extension disguised as "Google Notes" to replace copied cryptocurrency wallet addresses with attacker-controlled ones.
Socket said it reported the malicious VPN Go Chrome and Firefox extensions to Google and Mozilla for review and removal after identifying clipboard-stealing and exfiltration behavior.
Socket reported that the Firefox add-on branded as "VPN Go: Free VPN" first became malicious in version 1.3.3, adding clipboard theft capabilities while retaining visible VPN functionality as cover.
Socket found that the Chrome extension branded as "VPN Go: Free VPN" shifted from proxy behavior to malicious behavior when version 1.1 introduced clipboard monitoring and exfiltration logic.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.