A new malware-as-a-service toolkit called Stanley is being sold on a Russian-language cybercrime forum to deploy Chrome-extension-based website-spoofing attacks that overlay attacker-controlled phishing pages while the browser URL bar still shows the legitimate site. The toolkit includes a C2 management panel, guaranteed Chrome Web Store publication at higher price tiers, IP-based tracking, persistent C2 polling with fallback domains, and iframe overlay phishing that can harvest credentials at scale. #Stanley #ChromeWebStore
Keypoints
- Stanley is a MaaS toolkit advertised on a Russian-language forum (seller alias βΠ‘ΡΡΠ½Π»ΠΈβ) that packages website-spoofing as a Chrome extension and sells it for $2,000β$6,000 with a claimed guarantee of Chrome Web Store publication.
- The toolkit includes a web-based C2 panel showing infected users (identified by IP), online status, last activity, and browser history status, and allows operators to configure per-user URL hijacking rules.
- Malicious extensions built with Stanley present as legitimate apps (example: βNotelyβ), request broad permissions (including ), and use document_start injection to run before page content loads.
- Core attack technique: intercept navigation and overlay a fullscreen iframe containing attacker-controlled phishing content while the browser address bar continues to show the real domain (e.g., binance.com displayed while phishing page is shown).
- Operational features include real-time Chrome notifications to lure users, persistent 10-second polling to C2, and backup domain rotation to maintain continuity if the primary C2 is taken down.
- Defensive recommendations: enterprises should enforce strict extension allowlisting (Chrome Enterprise/Edge for Business); consumers should audit and minimize installed extensions and scrutinize broad permission requests.
MITRE Techniques
- [T0000 ] No MITRE technique explicitly named β The article does not list specific MITRE ATT&CK technique IDs or names; it describes behaviors such as iframe overlay, C2 polling, and credential harvesting without quoting MITRE technique identifiers.
Indicators of Compromise
- [Forum alias ] Seller identifier on Russian-language cybercrime forum β Π‘ΡΡΠ½Π»ΠΈ
- [Extension name ] Malicious extension/kit sample β Notely (proof-of-concept built with Stanley), and references to Stanley-built extensions
- [Domains ] Spoofed target domains used in demos/attacks β binance.com, coinbase.com
- [IP addresses ] Used as unique tracking identifiers for infected users β victim IP addresses (no specific IPs disclosed in the article)
- [C2 domains ] Command-and-control infrastructure β primary C2 taken offline (domains not disclosed), toolkit implements fallback domain rotation