Researchers reported an active Silent Swap campaign that distributes a fake "Google Notes" browser extension to steal cryptocurrency by replacing copied wallet addresses with attacker-controlled ones during transactions. The operation uses unsigned .NET and Golang installers to silently sideload the malicious extension into Chromium-based browsers including Chrome, Edge, Brave, and Opera, where it monitors clipboard activity and browser input for wallet strings across multiple blockchains and swaps them in real time.
The malware reportedly abuses Chromium trust mechanisms by altering Secure Preferences and related settings files, recalculating integrity values so the extension appears legitimately installed without user approval. Researchers said the campaign also uses EtherHiding-style blockchain-based command-and-control, querying a smart contract through public RPC infrastructure to resolve active C2 domains such as devops-offensive[.]cc and Zebregts[.]com, complicating detection and takedown. The activity has been linked to the CountLoader threat actor, with infections observed globally and a heavier concentration in India, while dynamic per-victim wallet mapping and published hashes, domains, payload URLs, and Bitcoin wallet indicators suggest a broad effort to monetize consumer cryptocurrency transactions.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
Gurucul published threat research on the Silent Swap campaign, describing a fake Google Notes browser extension that steals cryptocurrency by replacing wallet addresses and uses EtherHiding to retrieve command-and-control infrastructure from the blockchain. The report linked the activity to CountLoader and provided domains, a payload URL, SHA-256 hashes, and Bitcoin wallet addresses for detection and response.
McAfee reported an active campaign using unsigned .NET and Golang installers to sideload a malicious Chromium extension disguised as "Google Notes" that swaps copied cryptocurrency wallet addresses with attacker-controlled ones. The report also described abuse of Chromium trust mechanisms, blockchain-based C2 resolution, global infections with higher concentration in India, and links to CountLoader-related activity.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcehackread.com
Open sourcecommunity.gurucul.com
Open sourcemcafee.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.