socket-dev · Crawled Jul 5, 2026

Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates

11 IoCs
Read original article ↗

AI Summary

Malicious Chrome and Firefox browser extensions branded as 'VPN Go: Free VPN' have been distributing clipboard-stealing malware through staged updates. Initially appearing as legitimate free VPN tools, the extensions later added functionality to monitor and exfiltrate clipboard data, including passwords, API keys, and cryptocurrency addresses. The stolen data is sent to hardcoded IP addresses using HTTP GET requests with chunked encoding and session identifiers. Both extensions use obfuscated JavaScript and share infrastructure, indicating a coordinated campaign targeting user privacy under the guise of security.

AI-extracted · verify before operational use

Indicators of Compromise 11 extracted

Type Value Detail
IP 178.236.252.133 Details →
IP 77.91.123.187 Details →
IP 178.236.252.161 Details →
Domain telegra.ph Details →
SHA-256 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56 Details →
SHA-256 b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c Details →
SHA-256 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2 Details →
SHA-256 fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97 Details →
SHA-256 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2 Details →
Filename scripts/version.js Details →
Filename scripts/background.js Details →