Full Report
McAfee researchers are warning cryptocurrency users worldwide about a malicious browser extension that hides behind the name “Google Notes” while changing wallet addresses during transactions. In cybersecurity terms, this is clipper malware, more specifically a crypto clipper delivered through a malicious browser extension. Published on June 30, 2026, and shared with Hackread.com, the McAfee Advanced Threat…
Analysis Summary
# Tool/Technique: Fake “Google Notes” Crypto Clipper
## Overview
This threat involves a malicious browser extension masquerading as a legitimate productivity tool named “Google Notes.” Its primary purpose is to operate as a "clipper" malware, which intercepts the system clipboard to facilitate the theft of cryptocurrency by swapping the intended recipient's wallet address with one controlled by the attacker.
## Technical Details
- **Type:** Clipper Malware / Malicious Browser Extension
- **Platform:** Windows (via Chromium-based browsers: Google Chrome, Brave, and Microsoft Edge)
- **Capabilities:** Clipboard monitoring, string replacement (regex-based matching for crypto addresses), social engineering/impersonation.
- **First Seen:** June 30, 2026 (Date of McAfee report publication)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1189 - Drive-by Compromise] (Likely delivery via misleading download sites)
- **[TA0003 - Persistence]**
- [T1176 - Browser Extensions]
- **[TA0005 - Defense Evasion]**
- [T1036.004 - Masquerading: Rocket Software Name/Icon] (Using "Google Notes" branding)
- **[TA0009 - Collection]**
- [T1115 - Clipboard Data]
## Functionality
### Core Capabilities
- **Impersonation:** Uses the "Google Notes" name and a simple note-taking interface to appear legitimate and avoid user suspicion.
- **Clipboard Interception:** Monitors the system clipboard for activity whenever the user copies text.
- **Address Swapping:** Specifically identifies cryptocurrency wallet addresses (such as BTC or ETH) and replaces them in the clipboard buffer with an address belonging to the threat actor.
### Advanced Features
- **Cross-Browser Compatibility:** Delivered via unsigned installers designed to inject the extension into various Chromium-based environments including Chrome, Edge, and Brave.
- **Silent Operation:** The swapping occurs instantaneously, making it difficult for users to realize the destination address has changed unless they manually double-check the string before clicking "send."
## Indicators of Compromise
- **File Hashes:** [Specific hashes not provided in the summary article; refer to McAfee ATR report]
- **File Names:** Likely delivered via `unsigned_installer.exe` or similar names.
- **Extension Name:** Google Notes (Malicious ID variant)
- **Network Indicators:** [C2 domains would be listed here; typically uses static hardcoded addresses for wallet replacements]
- **Behavioral Indicators:**
- Modification of browser extension directories.
- Unexpected changes to clipboard content containing alphanumeric strings matching crypto-wallet lengths.
## Associated Threat Actors
- Unknown (Campaign currently attributed to generalized cybercriminal activity focused on financial gain).
## Detection Methods
- **Signature-based detection:** Antivirus solutions can detect the unsigned installers used to drop the extension.
- **Behavioral detection:** Monitoring for unauthorized modifications to browser extension folders (e.g., `%LocalAppData%\Google\Chrome\User Data\Default\Extensions`).
- **Manual Audit:** Checking browser extension lists for "Google Notes" and verifying the source (Google does not currently offer a standalone "Google Notes" extension; their service is branded as "Google Keep").
## Mitigation Strategies
- **Prevention measures:** Only install browser extensions from the official Chrome Web Store or Microsoft Edge Add-ons store.
- **Hardening recommendations:** Implement policies to block the installation of unsigned or side-loaded browser extensions via Group Policy (GPO).
- **Verification:** Always verify at least the first and last five characters of a cryptocurrency address after pasting it into a transaction field.
## Related Tools/Techniques
- **Laplas Clipper:** A sophisticated clipper variant that generates near-identical addresses.
- **MyKings/DarkCloud:** Botnets frequently known for deploying clipboard stealers.
- **Standard Clipper Malware:** General class of malware targeting the `OpenClipboard` and `SetClipboardData` APIs.