A dangerous new malware toolkit is being sold on Russian cybercrime forums that can redirect victims to fake websites while keeping the real domain name visible in their browser’s address bar.
The toolkit, called Stanley, costs between $2,000 and $6,000 and comes with a guarantee that it will pass Google’s Chrome Web Store review process. This threat shows how browser security has become a critical vulnerability in modern cybersecurity.
When victims navigate to targeted sites like Binance or Coinbase, the extension overlays a fake version of the website on top of the real one using a hidden iframe essentially a webpage within a webpage.
The attacker’s phishing page appears on screen while the legitimate domain name remains visible in the address bar, creating a convincing illusion that tricks users into entering their login credentials.
Stanley operates as a fake Chrome extension disguised as “Notely,” a simple note-taking app. Once installed, the extension gains permission to monitor and control every website a user visits.
The toolkit includes a web-based control panel where attackers can see all infected users, their IP addresses, and browsing history.
Operators can activate specific hijacking rules on demand, targeting individual users with precision. They can also send fake Chrome notifications that appear to come from the browser itself, adding another layer of deception.
How It Reached Users
The most alarming aspect of Stanley is that it was designed to pass Google review process and gain legitimacy.
Stanley first appeared on January 12, 2026, promoted under a listing that explicitly claims the extension “passes Google Store moderation.”
The seller explicitly advertised this capability, and the extension was listed on the official Chrome Web Store under the “Notely” name.
By offering legitimate note-taking functionality, the extension accumulated positive reviews before attackers could activate malicious features.
This “review once, update anytime” model of app stores allows developers to push malicious updates to thousands of users after initial approval.
The browser’s URL bar displays binance.com while the victim sees and interacts with attacker-controlled content.
On January 21, 2026, security researchers reported Stanley to Google and the hosting provider. The command-and-control server went offline the next day, but the malicious extension remained live on the Chrome Web Store for additional victims.
Technical Details
The toolkit itself uses relatively simple techniques. The extension checks in with its control server every 10 seconds, waiting for hijacking instructions.
The demonstration shows a generic “new bookmark available” message, but operators can write whatever they want and pair it with any redirect URL.
It uses victims’ IP addresses as unique identifiers, enabling attackers to target people geographically or correlate users across multiple browsers.
The code includes Russian-language comments and fallback domains, allowing the malware to maintain contact even if its primary server is shut down.
This toolkit represents a fundamental shift in browser-based attacks. Over the past two months, the security community has documented DarkSpectre (affecting 8.8 million users), fake AI extensions stealing ChatGPT conversations, and CrashFix malware.
These aren’t isolated incidents they demonstrate that browser extensions have become a primary attack vector.
For organizations, the best defense is strict extension allowlisting through Chrome Enterprise or Edge for Business, blocking everything except explicitly approved tools.
For individual users, the advice is simpler: audit your extensions regularly and remove anything you don’t actively use. Extensions requesting access to “all websites” or “browsing history” should raise red flags.
Until app store review processes evolve beyond the current model, malicious extensions will continue bypassing security checks and reaching millions of users.
Indicators of compromise
| Type | Value |
|---|---|
| C2 Domain | api.notely.fun |
| C2 Login Panel | notely.fun/login |
| API Endpoint | http://api.notely.fun/api |
| IP Address | 72.61.83.67 |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.