7 Stealthy Chrome Extensions Caught Impersonating Ledger, Phantom, and Solana – How a Remote Kill-Switch Targets Crypto Wallets + Video

Listen to this Post

Featured Image

Introduction:

Unit 42 researchers recently uncovered a sophisticated campaign involving seven malicious Chrome extensions that dynamically impersonate legitimate cryptocurrency tools. These extensions use Unicode BIDI spoofing, dual‑identity interfaces, and remote kill‑switch mechanisms to drain digital assets directly from victims’ browsers. The attack chain combines browser‑side credential harvesting, fake wallet interfaces, and BSC drainer scripts, making it one of the most elaborate browser‑extension‑based threats targeting Web3 users today.

Learning Objectives:

  • Identify the technical indicators of compromise for dynamic Chrome extension impersonation attacks
  • Apply command‑line and scripting techniques to detect malicious extensions and kill‑switch domains
  • Implement browser hardening and API security controls to prevent similar cryptocurrency‑themed threats

You Should Know:

  1. Anatomy of the Malicious Chrome Extensions – Stealthy Persistence Through Dynamic Impersonation
    The post reveals that all seven extensions disguise themselves as productivity tools or crypto wallet helpers, but their real power lies in a dynamic runtime that loads malicious payloads on the fly. A background script (background.js) contains a hard‑coded C2 kill‑switch that can remotely deactivate the extension or activate the drainer. The extensions use Unicode BIDI spoofing to display names like “Ledger Live” with reversed characters, tricking users who quickly scan the Chrome toolbar. When a user installs the extension, it injects an iframe that mimics a legitimate crypto interface (e.g., Phantom wallet) and steals seed phrases or private keys.

Step‑by‑step detection on Windows (PowerShell) – check for suspicious extension folders:

Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Recurse -Include "background.js" | Select-String "killswitch" -Context 2,0

On Linux, inspect the manifest and background scripts:

grep -r "killswitch|bidi|iframe" ~/.config/google-chrome/Default/Extensions//
  1. Decoding the C2 Kill‑Switch – How Attackers Retain Remote Control
    The kill‑switch function in background.js listens for a command from a remote server. If the C2 sends a specific token, the extension can either erase itself, cease operations, or activate the drainer immediately. This allows the threat actor to evade analysis – they can kill the extension in all infected browsers the moment they suspect detection. The URL of the C2 is obfuscated, but researchers noted the use of a bit.ly redirect (https://bit.ly/4dbw8wC) linking to a control panel.

Use curl to retrieve the redirect chain and spot potential C2 domains:

curl -v -L https://bit.ly/4dbw8wC 2>&1 | grep -i "location:"

On Windows, use PowerShell to resolve the final destination:

(Invoke-WebRequest -Uri "https://bit.ly/4dbw8wC" -MaximumRedirection 0 -ErrorAction SilentlyContinue).Headers.Location
  1. Unicode BIDI Spoofing & Dual‑Identity Interfaces – Fooling Users Across Locales
    The OmniFlow Sidebar extension exemplifies dual‑identity: English‑speaking users see a dark‑themed productivity tool, while non‑English users are shown a “secure crypto wallet app” encouraging them to buy cryptocurrencies. This locale‑based decision is hard‑coded in the extension’s popup or background scripts, using navigator.language. Additionally, Unicode BIDI (bidirectional) override characters make “Ledger” appear as “Ledger” but in reversed script, masquerading as an official extension.

List all installed extensions and check names for BIDI override characters (U+202E, U+202D) on Linux:

jq -r '.[] | .name' ~/.config/google-chrome/Default/Extensions//manifest.json | grep -P '[\x{202E}\x{202D}]'

Windows equivalent (PowerShell with regex):

Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\manifest.json" | ForEach-Object { (Get-Content $_.FullName | ConvertFrom-Json).name } | Select-String -Pattern "\u202E|\u202D"
  1. Fake Wallet Injection – From Solana Network Monitor to Phantom Phishing
    One of the most brazen extensions pretends to be a “Solana Network Monitor” but, when triggered, replaces its popup.html with a phantom.html file. This new page contains a fully functional fake Phantom wallet interface, complete with a “Recovery Phrase” form. The background.js script dynamically swaps the extension’s action popup using chrome.action.setPopup({popup: 'phantom.html'}). Victims enter their seed phrase, which is immediately exfiltrated.

To simulate detection, you can monitor extension manifest changes on Linux using inotify:

inotifywait -m -e modify ~/.config/google-chrome/Default/Extensions//manifest.json

On Windows, enable PowerShell FileSystemWatcher to alert on background.js modification:

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
$watcher.Filter = "background.js"
$watcher.IncludeSubdirectories = $true
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Changed" -Action { Write-Host "Background.js modified in extension!" }

5. BSC Drainer Integration – Automated Asset Theft

Once the victim inputs their seed phrase or connects a wallet, a BSC (Binance Smart Chain) drainer script is loaded. The drainer automatically transfers all tokens and BNB to attacker‑controlled addresses using smart contract interactions. The drainer is often hidden behind an iframe that loads from a C2 domain, using the postMessage API to communicate between the extension and the malicious page.

To block known drainer domains and C2, add them to your local hosts file after identification. On Linux:

echo "0.0.0.0 malicious-drainer-c2.com" | sudo tee -a /etc/hosts

On Windows (as Administrator):

Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "0.0.0.0 malicious-drainer-c2.com"

Additionally, use a browser extension policy to restrict connections:

Chrome policy JSON
{"URLBlocklist": ["://.malicious-drainer-c2.com/"]}

6. Removing Malicious Extensions and Hardening Chrome

If you suspect infection, immediately disable developer mode and remove the extension via chrome://extensions, but the attacker may have set a policy to prevent removal. Check loaded policies by navigating to chrome://policy. To force removal on Linux, delete the extension folder:

rm -rf ~/.config/google-chrome/Default/Extensions/<extension_id>

On Windows, stop Chrome processes and delete the folder via PowerShell:

Get-Process chrome | Stop-Process -Force
Remove-Item -Recurse "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions\<extension_id>"

Then reset Chrome’s secure preferences to remove any persistent rogue settings.

  1. API Security and Cloud Hardening for Crypto Services
    These attacks highlight the need for services integrating with browser extensions to enforce strict Content Security Policies (CSP) and API authentication. Backend APIs that interact with crypto wallets should validate the origin of requests and never trust postMessage communication without cryptographic verification. Implement API gateway rules to detect unusual token movement patterns, and use OWASP recommendations for browser‑based extensions.

Sample CSP header to mitigate iframe injection:

Content-Security-Policy: frame-ancestors 'self'; script-src 'self' 'wasm-unsafe-eval';

Cloud hardening: Set AWS WAF rules to block requests containing suspicious patterns related to BIDI characters or known drainer contract addresses.

What Undercode Say:

Attackers are shifting from static phishing to dynamic runtime impersonation inside the browser, using kill‑switches to stay under the radar. The combination of Unicode spoofing and locale‑based dual identity drastically increases success rates.

Crypto users must treat any browser extension – even those appearing legitimate – with extreme caution. A single background.js update can turn a harmless tool into a wallet drainer without the user noticing.

Undercode’s analysis shows that all seven extensions share the same C2 infrastructure and the kill‑switch mechanism is a direct counter‑forensic measure. The dynamic iframe payload delivery bypasses static extension scanners because the malicious code only exists in memory after activation. Moreover, the use of BIDI characters evades many automated name‑based detection rules. The research confirms that the campaign specifically targets high‑value crypto users through social media promotion and fake reviews, making it a well‑resourced operation.

Prediction:

In the next 12 months, browser‑based cryptocurrency threats will incorporate AI‑generated locale‑specific interfaces and self‑morphing kill‑switches that adapt to detection attempts. Expect a surge in supply‑chain attacks on legitimate browser extension updates, where threat actors inject dynamic drainer modules that lie dormant until a target’s wallet balance meets a threshold. API security layers will need real‑time behavioral analysis of postMessage traffic and on‑device extension integrity checks, possibly enforced by browser vendors themselves.

▶️ Related Video (72% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Crypto UgcPost – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky