|
|
|
|
|
|
by moooooon
109 days ago
|
|
|
I found this because the malicious callback scripts left console.logs
firing on every page — [superior-grabber] Initializing grabber...
visible to anyone who had DevTools open. Full chain: Chrome extension (ShotBird) sold to new operators →
callback-delivered JS → CSP stripping, form data capture, fake update
lures → googleupdate.exe → psfx.msi → irm orangewater00.com|iex →
second stage with ETW suppression + credential dumping. IOCs, raw callback scripts, and PE analysis in the repo.
Related campaign: https://annex.security/blog/pixel-perfect |
|
|