Full Report
Cybersecurity researchers have flagged an active browser extension campaign that is designed to steal cryptocurrency by stealthily replacing wallet addresses when unsuspecting users initiate a transaction. The cryptocurrency clipper activity has been codenamed Silent Swap by McAfee Labs. "The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that
Analysis Summary
# Tool/Technique: Silent Swap (Crypto Clipper)
## Overview
Silent Swap is a sophisticated malware campaign designed to steal cryptocurrency by intercepting the system clipboard. It utilizes a malicious Chromium browser extension, often masquerading as "Google Notes," to stealthily replace a user's intended cryptocurrency wallet address with one controlled by the attacker during a transaction.
## Technical Details
- **Type:** Malware Family (Cryptocurrency Clipper / Malicious Extension)
- **Platform:** Windows (Targeting Chromium-based browsers: Chrome, Edge, Brave, Vivaldi, Opera)
- **Capabilities:** Clipboard hijacking, browser preference manipulation, C2 communication via blockchain (EtherHiding), and dynamic wallet substitution.
- **First Seen:** Reported June 2026 (per article context).
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1204.002 - User Execution: Malicious File] (Unsigned .NET/Golang installers)
- **[TA0003 - Persistence]**
- [T1176 - Browser Extensions]
- [T1547 - Boot or Logon Autostart Execution]
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Modifying Secure Preferences to bypass HMAC checks)
- [T1070.004 - Indicator Removal: File Deletion] (Self-deleting installers)
- **[TA0011 - Command and Control]**
- [T1102.001 - Web Service: Dead Drop Resolver] (EtherHiding technique via smart contracts)
## Functionality
### Core Capabilities
* **Clipboard Monitoring:** Scans the clipboard for string patterns matching Bitcoin (BTC), Ethereum (ETH), Bitcoin Cash, Ripple, and Dash addresses.
* **Wallet Swapping:** Intercepts the victim's copied address and replaces it with an attacker-controlled address to reroute funds.
* **Browser Tampering:** Scans for Chromium profiles and modifies `Secure Preferences` and `Preferences` files to forcibly load the extension and bypass security warnings.
### Advanced Features
* **EtherHiding:** Uses blockchain smart contracts as a dead drop resolver to retrieve active C2 server addresses, making the infrastructure resilient to domain takedowns.
* **HMAC Recalculation:** The malware programmatically recalculates security hash values for browser configuration files, tricking the browser into validating the unauthorized extension.
* **Dynamic Substitution:** Sends the victim's wallet address to a backend server to receive a specific "matched" attacker address, likely to avoid suspicion by maintaining similar address formats.
## Indicators of Compromise
* **File Names:** `BaseZipInstaller` (Unsigned .NET variant).
* **Behavioral Indicators:**
* Unexpected termination of Chromium-based browser processes.
* Unsigned .NET or Golang executables attempting to modify `%AppData%\Local\Google\Chrome\User Data\Default\Secure Preferences`.
* Enabling of "Developer Mode" in browsers like Brave or Opera without user intervention.
* **Network Indicators (Defanged):**
* Smart contract interactions on the Ethereum/Binance Smart Chain (EtherHiding).
* C2 traffic to backend domains ending in `.top` or similar TLDs (specific domains not listed in snippet).
## Associated Threat Actors
* **CountLoader Operators:** Observed overlaps in infrastructure and delivery methods suggest a connection to the actors behind the CountLoader clipper campaigns.
## Detection Methods
* **Signature-based:** Monitoring for the "BaseZipInstaller" hash and common .NET/Golang clipper templates.
* **Behavioral:** Flagging any non-browser process that attempts to modify browser `Secure Preferences` or `Extension` folders.
* **Extension Auditing:** Scanning for unauthorized extensions named "Google Notes" that are not sourced from the official Chrome Web Store.
## Mitigation Strategies
* **App Control:** Prevent the execution of unsigned installers, particularly those written in .NET or Golang from untrusted sources.
* **Browser Hardening:** Use administrative templates (GPO) to restrict extension installation to a "Blocklist All/Allowlist Specific" policy.
* **Verification:** Encourage users to double-check the first and last four digits of a cryptocurrency address after pasting it and before confirming a transaction.
## Related Tools/Techniques
* **CountLoader:** A delivery mechanism for similar crypto-malware.
* **Rilide:** A known malware family that also specializes in malicious browser extensions for data theft.
* **ClipBanker:** General category of malware focused on clipboard manipulation.