Browser attacks have become far more dangerous and organized than before. A new threat called Stanley, discovered in January 2026, shows just how serious the problem has become.
This malware-as-a-service toolkit, priced between $2,000 and $6,000, does something particularly deceptive: it displays fake websites to users while the URL bar keeps showing the legitimate address.
It’s designed to steal login credentials and financial information by tricking people into thinking they’re visiting real websites.
Stanley first appeared on January 12, 2026, on Russian-language cybercrime forums under the seller’s alias “Стэнли.”
What makes this toolkit especially concerning is that the seller promises guaranteed publication on the Chrome Web Store, meaning the malicious extension can be downloaded directly from Google’s official store.
The toolkit disguises itself as “Notely,” a notes and bookmarks application, giving it legitimate cover while performing website spoofing attacks.
.webp "New Malware Toolkit Sends Users to Malicious Websites While the URL Stays the Same 3")
Varonis researchers noted and identified the toolkit after analyzing its technical capabilities and distribution methods.
The security team discovered that Stanley functions through a web-based control panel where attackers select individual victims and configure website hijacking rules.
Once a target is chosen, operators set up a source URL (the legitimate site to hijack) and a target URL (the attacker’s phishing page).
.webp "New Malware Toolkit Sends Users to Malicious Websites While the URL Stays the Same 4")
The extension then intercepts when the victim visits the real website and overlays a full-screen iframe containing the fake version, all while the browser’s address bar displays the legitimate domain.
How Stanley Infects and Controls Victims
The infection mechanism relies on browser extension permissions that grant near-complete control over user browsing activity.
Once installed, Stanley’s code runs at the earliest possible moment during page loading, before any legitimate content appears.
The extension uses the victim’s IP address as a unique identifier, enabling attackers to target specific people and even correlate users across multiple browsers and devices.
Every ten seconds, the extension communicates with the attacker’s command and control server to receive updated hijacking instructions.
Stanley implements backup domain rotation to ensure survival even when authorities take down the primary server.
This means the extension automatically cycles through fallback domains to maintain operational control.
The toolkit has already compromised thousands of users, with the command and control panel displaying victim IP addresses, online status, and last activity timestamps.
Enterprises should consider strict extension allowlisting policies, while individual users need to reduce their installed extensions and scrutinize permission requests carefully.
The deeper problem remains that browser extension marketplaces approve extensions once and allow updates anytime, meaning malicious updates can slip through after initial review.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
