Technically sophisticated campaign delivering a malicious Chromium extension that silently swaps cryptocurrency wallet addresses during transactions.
Delivered via unsigned installers observed in both .NET and Golang variants access, the payload masquerades as a minimalist “Google Notes” browser extension.
Once deployed, the extension acts as a clipboard-aware crypto clipper: it monitors copy-and-paste activity, recognizes wallet addresses across multiple blockchains, and replaces victims’ addresses with attacker-controlled ones just before paste, producing irreversible financial loss.
First, the installers perform Chromium trust-layer abuse. Rather than using the official extension stores, the installer locates user profiles across Chrome, Edge, Brave and other Chromium forks, force-terminates browser processes, and directly modifies Secure Preferences and Preferences files to register the extension.
To defeat integrity checks the malware recalculates and writes back MAC/HMAC-like verification fields (super_mac/mac) by deriving values from system-specific identifiers (for example the machine SID) and a seed.
On outdated Chromium builds this allows the extension to load silently; on updated browsers the actor relies on social engineering or programmatic enabling of developer/unpacked-extension mode to persist. The installer then self-deletes, leaving minimal on-disk indicators.
Second, the extension leverages blockchain-resolved command-and-control (C2). Instead of a hardcoded domain, the extension queries a public blockchain RPC endpoint and invokes a read-only smart-contract method.
Malicious Google Notes Extension
The contract returns an encoded string which the extension decodes at runtime to reveal the active backend domain (examples observed include devops-offensive[.]cc and Zebregts[.]com).

McAfee has identified an active browser-extension campaign designed to steal cryptocurrency by silently substituting wallet addresses.
This “EtherHiding” approach lets operators rotate infrastructure by updating an on-chain value, complicating takedown and network detection because the malware carries no static C2 indicator.
Technically, the extension grants excessive permissions access to all URLs, browsing history, and clipboard read/write and splits malicious logic between content scripts and background service workers.
Content scripts monitor copy events and apply cryptocurrency-specific regular expressions to detect addresses for Bitcoin, Ethereum, Bitcoin Cash, Ripple, Dash and Solana.
Upon match, the extension sends the intercepted address to the attacker backend authenticated with an embedded API key; the backend returns a replacement address which is written to the clipboard.
McAfee’s reconstructed backend reveals deterministic one-to-one mapping for many chains (BTC, ETH, BCH, XRP, DASH), while Solana submissions collapse to a single static drop address an implementation choice visible in chain balances.
Operational telemetry shows a globally distributed footprint with a significant concentration in India, suggesting opportunistic targeting crypto users rather than a narrow regional campaign.
An RPC URL pointing to a public blockchain node is leveraged to dynamically resolve backend server information, allowing the attacker to hide critical infrastructure behind decentralized systems.
The installer embeds configuration JSON (API keys, extension manifest, targeted wallets, RPC endpoints) inside the binary and downloads a zipped extension payload (google-services[.]cc/base[.]zip), ensuring staged deployment without external initial configuration fetches.

Detection and mitigation require layered controls. Consumers should install extensions only from official stores, inspect unusual permissions (notes apps don’t need clipboard or all-URL access), verify the first and last six characters of recipient addresses on a separate device before sending funds, and avoid running unsigned installers from untrusted sources.
Endpoint and network protections that flag malicious download behavior and block known C2 domains are effective; McAfee detects this threat as CryptoStealer.NE, blocks the installer’s download behavior, and prevents connections to resolved infrastructure.
For defenders, focus on monitoring tampering of Chromium Secure Preferences files, unusual recreation of browser MAC values, and anomalous RPC calls to public blockchain nodes that resolve opaque contract values indicators tied to EtherHiding-style C2 resolution.
Indicators of Compromise (IOC)
| Type | Category | Value |
| SHA-256 | .NET Installer (BaseZipInstaller) | 2735e12030c195fb5454e4736c51b55b59664b93cae9f4bd5317afcd9c2af0bf 053620962047f50a91c6e8d1a6519eccc41fab51473f033086b4d816abe8bcb0 |
| SHA-256 | Golang-compiled Installer Variant | 11be4c47ff049322de41743f62544cafd32d67e24ad653b7ebedf8ebd63e0962 1432393691b415d0cd4680d9cee73e60896fbe63300d9f0355c96e91817e4b1d |
| URL | Payload distribution | hxxps://google-services[.]cc/base[.]zip |
| Domain | Command-and-Control (resolved via smart contract) | devops-offensive[.]cc Zebregts[.]com |
| BTC wallet | Crypto wallet | 3JvDBvKbS6YYMKjV3R9e9Zfd67f467fNLy 1BbhVBxpniuZuAL1gGZnEMdQhmz9JGWpyT 3AcPNVh7NyESwX3ECymy3rkdH4Ke2c26Tj 1BVTrB47erypG3tevi1U9Fv6BbNUBEiuiX |
| Artifact | Sideload target | Chromium Secure Preferences file (Chrome, Edge, Brave, Opera profiles) |
| Extension files | manifest.json crypto-patterns.js Interceptor.js content-script.j cache.js domain-resolver.js service-worker.js api-client.js | ed2599d6a8f30d5eaf14ad7f855aece0acdf7efa4a148eb18e4d9f0d8e2cd90c daf82c67e8e5df6bbd5370172ac9374aa7dce48af05496e8ec3dba7b602c619b 6eb2f07265dd95cacd39dfcf0705786b97f3e173cf4e9b3dfe7bad141c9a9dd5 a2ffdbedc5c9f5400a2b1cf5d35f5ec1df06a74d0345f1035bcf75d36ed73e01 eb84ba4a0cd95655a021865d4fec93ae3393f86cc9848810ed0b49035b1c5e2c 6aaba685669d779ef8be8f7f4231096cfafd0ef386f3897c5e2106c177724fc8 2599064901308a97540af29197ed0b38702bbee38d6dbbfa61cf9eb5878353f3 ab450927b37e1b68e2be68832c354ac600e86e2545a904d4ca0ea283f2600cc2 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.

