Security researchers at Varonis have uncovered a new malware-as-a-service (MaaS) operation dubbed “Stanley,” which involves malicious Chrome extensions capable of passing Google’s review process and being published on the Chrome Web Store.
Stanley is marketed as an easy-to-use phishing platform that works by hijacking user navigation and overlaying a full-screen iframe containing attacker-controlled content. At the same time, the browser’s address bar remains unchanged, continuing to display a legitimate domain. The seller also advertises silent auto-installation on Chrome, Edge, and Brave browsers, along with support for custom modifications.
According to Varonis, operators using Stanley’s control panel can toggle hijacking rules on demand, push browser notifications to direct victims to specific pages, and perform IP-based victim identification for geographic targeting and session correlation. The extension polls its command-and-control (C&C) infrastructure every 10 seconds and includes backup domain rotation to withstand takedowns.
Varonis notes that Stanley lacks technical sophistication and relies on well-known techniques, however, its distribution model is more interesting. The code is reportedly rough, with Russian comments, inconsistent error handling, and empty catch blocks. The pricing is tiered from $2,000 to $6,000, with the top tier bundling customization, the management panel, and a guarantee of Chrome Web Store publication.
“BYOD policies, SaaS-first environments, and remote work have made the browser the new endpoint. Attackers have noticed. Malicious browser extensions are now a primary attack vector, as we've seen with DarkSpectre, ChatGPT theft, and CrashFix,” Varonis noted in its report. “The deeper problem is architectural. Browser extension marketplaces use a review-once, update-anytime model, so extensions can pass review as legitimate tools and push malicious updates later. Until that changes, these toolkits will keep slipping through.”