A new malware service named 'Stanley' promises to bypass Google's security checks and publish malicious Chrome extensions that overlay phishing content on legitimate websites.
Security researchers at Varonis have uncovered a disturbing new malware-as-a-service (MaaS) operation dubbed Stanley, which explicitly guarantees that its malicious Chrome extensions will bypass Google's review process and appear on the official Chrome Web Store. This service enables attackers to deploy phishing campaigns that overlay legitimate websites with fraudulent content while leaving browser address bars untouched—a tactic that significantly increases deception success rates.
Stanley operates by injecting a full-screen iframe containing attacker-controlled content over existing web pages. As Varonis technical analysis details, the malware intercepts browser navigation requests and renders phishing forms, fake login prompts, or scam notifications while the URL bar continues displaying the authentic domain. This technique exploits user trust in verified browser indicators.
Key Capabilities Revealed:
- Silent Installation: Auto-deploys on Chrome, Edge, and Brave browsers without user interaction
- Geo-Targeting: Identifies victims by IP address and customizes attacks by location
- Web Panel Control: Operators enable/disable hijacking rules or push fake browser notifications
- Resilience: Rotates backup command-and-control domains every 10 seconds to evade takedowns
- Store Distribution: Highest-tier 'Luxe Plan' includes guaranteed Chrome Web Store publication support
Varonis notes Stanley's code contains Russian-language comments and exhibits inconsistent error handling, suggesting hurried development. However, its dangerous innovation lies in the distribution model—directly challenging Google's ability to filter malicious extensions. This follows recent reports from Symantec and LayerX showing similar extensions slipping through automated reviews.
Protection Strategies for Organizations & Users:
- Minimize Extensions: Only install essential add-ons from the Chrome Web Store
- Verify Publishers: Research developer histories and avoid obscure or newly created accounts
- Scrutinize Permissions: Reject extensions requesting excessive data access or 'read all site data'
- Monitor Network Traffic: Use endpoint security tools to detect unusual C2 communications
- Employee Training: Teach staff to recognize overlay attacks despite legitimate URLs
Google has not yet commented on Stanley's claims. Until platforms improve detection, users must assume trusted marketplaces harbor malicious extensions. As Varonis concludes: 'The real threat isn't novel code—it's the industrialization of distribution channels we assumed were secure.'
Related threat intelligence:
Comments
Please log in or register to join the discussion