Silent Swap: New Crypto Clipper Campaign Uses Stealthy Browser Extensions and Blockchain for Evasion
A sophisticated cryptocurrency clipper campaign, dubbed **Silent Swap** by **McAfee Labs**, is actively targeting users by stealthily replacing wallet addresses during transactions. This campaign leverages malicious Chromium extensions and an advanced blockchain-based command-and-control (C2) mechanism to evade detection and siphon funds.
Cybersecurity researchers have uncovered an active browser extension campaign meticulously designed to steal cryptocurrency. This operation, codenamed **Silent Swap** by **McAfee Labs**, focuses on surreptitiously altering wallet addresses when users initiate a transaction, leading to irreversible financial losses.
### Covert Delivery and Installation
The **Silent Swap** campaign is delivered through unsigned installers, observed in both .NET and Golang variants. These installers deploy a malicious **Chromium** extension that masquerades as a benign 'Google Notes' utility.

The .NET installer, named **BaseZipInstaller**, scans the system for **Chromium-based browsers** (such as **Google Chrome**, **Microsoft Edge**, **Brave**, and **Vivaldi**). For each detected browser profile, it forcibly terminates the process and injects the malicious extension by modifying the **Secure Preferences** and **Preferences** files. The extension then requests broad permissions, including access to the clipboard, all URLs, and browsing history, to achieve its objectives.
### Sophisticated Evasion and Persistence
What sets **Silent Swap** apart is its use of advanced evasion techniques. It leverages **EtherHiding**, a method that uses the blockchain as a dead drop resolver to retrieve active C2 server details. This allows the threat actor to update a smart contract value to point to a new domain without redeploying the malware itself.
The covert installation of the browser extension involves modifying protected browser settings files. The malware recalculates and updates security verification data (hash/HMAC values) after tampering, tricking the browser into believing the extension was installed legitimately. This bypasses the normal extension web store installation process and loads silently without user approval.
Persistence is established by altering the browser's **Secure Preferences** file, ensuring the extension loads on subsequent browser launches. The malware also attempts to programmatically enable developer mode in **Brave** and **Opera**, and the installer self-deletes after execution to remove initial compromise indicators.

### Dynamic Wallet Substitution and Global Impact
The malware employs dynamic wallet substitution. It intercepts copied wallet addresses, sends them to an attacker backend, and uses the response to dynamically replace the original address. If the backend request fails, it falls back to a predefined hard-coded wallet address, ensuring continuous malicious activity.
For **Bitcoin (BTC)**, **Ethereum**, **Bitcoin Cash**, **Ripple**, and **Dash** addresses, a unique attacker-controlled address is mapped server-side. **Solana** addresses, however, all resolve to a single attacker address, which has been observed to hold a balance of over $1,900. Telemetry data indicates a global distribution of infections, with a higher concentration in India, followed by the U.S., Brazil, Indonesia, and Spain.
### Overlap with Previous Campaigns
**McAfee Labs** noted that this activity overlaps with a prior **CountLoader** campaign, suggesting the same threat actor is behind both. **CountLoader** typically distributes additional payloads, including rogue browser extensions, often through phishing emails, game cracks, and other social engineering tactics.
### Malicious VPN Extensions with Clipboard Stealers
In a related development, **Socket** researchers **Kirill Boychenko** and **Kush Pandya** reported on malicious **Chrome** and **Mozilla Firefox** browser extensions named "VPN Go: Free VPN." These extensions, while offering proxy functionality, also contain clipboard theft logic that continuously monitors and exfiltrates copied text to attacker-controlled infrastructure.

This behavior extends beyond wallet addresses, allowing attackers to siphon sensitive data like passwords, authentication codes, API keys, **OAuth** tokens, and seed phrases. The extensions exhibited a staged malicious update pattern, initially publishing benign versions before introducing clipboard-stealing capabilities in subsequent updates. Different versions were observed exfiltrating data to various IP addresses, including "178.236.252[.]133" and "77.91.123[.]187."