Malicious campaign targets users with fake VPN extensions

Malicious campaign targets users with fake VPN extensions

Researchers from ReasonLabs uncovered a large-scale malware campaign targeting users through a trojan installer hidden in thousands of torrent files. The installer, often disguised as popular video games such as Grand Theft Auto (GTA) and Assassins Creed, forcibly installs malicious web extensions for Google Chrome and Edge.

The malicious installers identified by ReasonLabs primarily deliver one of three different harmful web extensions for Google Chrome and Edge, all posing as Virtual Private Networks (VPNs). Google has removed malicious extensions from the Chrome Web Store but by that time, the offending extensions (netPlus, netSave, and netWin) had together accumulated nearly 1.5 million installs.

The trojan installer, often presented as setup.exe and labeled “by Igruha,” is commonly distributed through torrent downloads claiming to be popular video games, including Assassins Creed, GTA, The Sims 4, and Heroes 3.

Researchers have identified over 1,000 torrent files delivering the same setup file, with a common signer name, “SPICE & WOK LIMITED.” These installer files range from 60MB to over 100MB in size. The installer utilizes a sophisticated method, modifying browser files via the registry key “SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings” to install the malicious web extensions without the user's knowledge or consent.

The three extensions come with a massive JavaScript code comprising over 20,000 lines. Although the full extent of the code's activities remains unclear, researchers have confirmed that these extensions are not just fake VPNs but also carry out cashback activity hacks. To ensure success, the extensions disable other cashback extensions on infected browsers while presenting a genuine VPN user interface with limited functionalities to maintain a facade of legitimacy.

All three extensions are in Russian, suggesting that they are aimed at Russian-speaking users. ReasonLab said it identified thousands of infected users across Russia, Ukraine, Kazakhstan, Moldova, and other countries with significant Russian-speaking populations.


Back to the list

Latest Posts

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

Russian hackers target Microsoft accounts with ‘Device code’ phishing attacks

The Russian threat actors leveraged social engineering techniques to impersonate individuals from prominent institutions.
17 February 2025
Cyber Security Week in Review: February 14, 2025

Cyber Security Week in Review: February 14, 2025

In brief: Microsoft patches actively exploited zero-days, Chinese hackers Salt Typhoon exploit Cisco flaws, the US and partners sanction Zservers, and more.
14 February 2025
Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

Russian Sandworm APT targets critical sectors in BadPilot multi-year campaign

The 'BadPilot' campaign involves a series of targeted cyberattacks leveraging bugs in widely used IT infrastructure software.
13 February 2025
Popular Posts
Featured vulnerabilities
Prototype pollution in node-gettext
Medium Not Patched | 17 Feb, 2025
Multiple vulnerabilities in Intel QuickAssist Technology Software
Low Patched | 17 Feb, 2025
Information disclosure in Intel QuickAssist Technology Software
Low Patched | 17 Feb, 2025
Multiple vulnerabilities in Intel Ethernet Adapter Complete Driver Pack
Medium Patched | 17 Feb, 2025
Multiple vulnerabilities in Intel UEFI Firmware
Low Not Patched | 17 Feb, 2025