Socket’s Threat Research Team found malicious Chrome and Firefox VPN extensions that posed as free privacy tools while secretly stealing clipboard contents through staged updates. The campaign used shared infrastructure, browser-specific proxy features, and hardcoded endpoints to exfiltrate copied secrets from users of VPN Go: Free VPN and Free VPN by VPN GO. #VPNGo #FreeVPNbyVPNGO #SocketThreatResearchTeam #178236252133 #77291123187 #178236252161
Keypoints
- The Chrome Web Store and Mozilla Firefox Add-ons hosted extensions branded as VPN Go: Free VPN / Free VPN by VPN GO.
- Both extensions included legitimate-looking proxy/VPN functionality but also hidden clipboard-stealing code.
- The malicious behavior was introduced through staged updates, with earlier versions appearing benign and later versions adding clipboard exfiltration.
- Chrome versions 1.1 and 1.2 exfiltrated clipboard data to 178.236.252.133, while version 1.3 moved to 77.91.123.187.
- Firefox version 1.3.3 used 178.236.252.161 for clipboard theft, and version 1.3.4 later moved to 77.91.123.187.
- The malware continuously read clipboard contents, split them into chunks, tagged them with session IDs, and sent them over HTTP GET requests.
- The extensions were reported to Google and Mozilla for review and removal, and copied secrets should be considered exposed.
MITRE Techniques
- [T1176.001] Software Extensions: Browser Extensions – The threat was delivered through malicious browser add-ons that users installed from official extension stores (‘browser extensions operating under the VPN Go: Free VPN branding’).
- [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – The extensions were altered through staged malicious updates after appearing legitimate (‘staged malicious-update pattern’).
- [T1204] User Execution – Users had to install and keep using the extension, believing it was a free VPN tool (‘Users routinely copy passwords… A browser extension with clipboard access does not need…’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – The malicious logic was implemented in JavaScript inside extension scripts (‘the script… reads the clipboard… and sends those chunks’).
- [T1115] Clipboard Data – The extensions monitored and stole copied text from the clipboard (‘continuously monitors copied text and exfiltrates it’).
- [T1027] Obfuscated Files or Information – The code used obfuscation and arithmetic/string tricks to hide malicious behavior (‘lightly obfuscated with meaningless variable names, escaped property strings, and arithmetic constants’).
- [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration used HTTP GET requests to web endpoints (‘sends those chunks to hardcoded HTTP endpoints’).
- [T1041] Exfiltration Over C2 Channel – Clipboard data was transmitted to attacker-controlled infrastructure (‘exfiltrating copied data to hardcoded threat actor-controlled infrastructure’).
- [T1036] Masquerading – The extensions pretended to be legitimate VPN tools with privacy-focused messaging (‘present themselves as free VPN tools’ and ‘privacy-focused positioning’).
Indicators of Compromise
- [Extension names / IDs] Malicious browser add-ons posing as VPN tools – VPN Go: Free VPN, Free VPN by VPN GO, jgpfgonjjolillilkjfkiddakagkkpoj, vpngo@vpngo[.]com
- [Domains / URLs] Privacy policy and exfiltration infrastructure – telegra[.]ph/Privacy-Policy-12-11-127, /html/continue[.]php, /locations
- [IP addresses] Clipboard exfiltration and proxy-location endpoints – 178[.]236[.]252[.]133, 77[.]91[.]123[.]187, and 178[.]236[.]252[.]161
- [SHA256 hashes] Confirmed malicious extension packages – 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56, b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c, and 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2
- [SHA256 hashes] Confirmed malicious Firefox packages – fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97, 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2
- [Bearer tokens] Hardcoded API authentication tokens – 11f01e8296a074e6e3b23e9413c51f205d4b6a14146fb4d95bec291d768a9071, 7386252b9a86e5357e6aa884326720abf015465a2567e75717830b6688ef05cc
- [File names / script paths] Malicious extension components – scripts/version.js, scripts/background.js
Read more: https://socket.dev/blog/chrome-and-firefox-extensions-free-vpns-add-clipboard-stealers