socket-dev · Crawled Jul 5, 2026
Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates
11 IoCs
Read original article ↗
AI Summary
Malicious Chrome and Firefox browser extensions branded as 'VPN Go: Free VPN' have been distributing clipboard-stealing malware through staged updates. Initially appearing as legitimate free VPN tools, the extensions later added functionality to monitor and exfiltrate clipboard data, including passwords, API keys, and cryptocurrency addresses. The stolen data is sent to hardcoded IP addresses using HTTP GET requests with chunked encoding and session identifiers. Both extensions use obfuscated JavaScript and share infrastructure, indicating a coordinated campaign targeting user privacy under the guise of security.
AI-extracted · verify before operational use
Indicators of Compromise 11 extracted
| Type | Value | Detail |
|---|---|---|
| IP | 178.236.252.133 | Details → |
| IP | 77.91.123.187 | Details → |
| IP | 178.236.252.161 | Details → |
| Domain | telegra.ph | Details → |
| SHA-256 | 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56 | Details → |
| SHA-256 | b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c | Details → |
| SHA-256 | 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2 | Details → |
| SHA-256 | fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97 | Details → |
| SHA-256 | 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2 | Details → |
| Filename | scripts/version.js | Details → |
| Filename | scripts/background.js | Details → |