{ "Event": { "analysis": "1", "date": "2026-04-30", "extends_uuid": "", "info": "[Threat Intel] That AI Extension Helping You Write Emails? It's Reading Them First", "protected": false, "publish_timestamp": "1779546299", "published": true, "threat_level_id": "3", "timestamp": "1779546299", "uuid": "4e579de4-ff53-4609-afaa-ba2392c8b4ab", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#0afe32", "local": false, "name": "misp-galaxy:producer=\"Palo Alto\"", "relationship_type": "" }, { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e96364", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Adversary-in-the-Middle - T1557\"", "relationship_type": "" }, { "colour": "#72ee33", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Keylogging - T1056.001\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#ed66f6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Steal Web Session Cookie - T1539\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#0a061f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Active Setup - T1547.014\"", "relationship_type": "" }, { "colour": "#47d9d3", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious File - T1204.002\"", "relationship_type": "" }, { "colour": "#029dd6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Software Extensions - T1176\"", "relationship_type": "" }, { "colour": "#a9bb6d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials from Password Stores - T1555\"", "relationship_type": "" }, { "colour": "#bce57a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over Web Service - T1567\"", "relationship_type": "" }, { "colour": "#62e1b7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Session Hijacking - T1185\"", "relationship_type": "" }, { "colour": "#adf1b0", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Proxy - T1090\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#1b95cd", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Phishing - T1566\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Drive-by Compromise - T1189\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#18005c", "local": false, "name": "rectifyq:topic=\"ai\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Browser Extensions - T1176.001\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950029", "to_ids": false, "type": "link", "uuid": "7b6b1912-8f31-4cf7-8d1b-bd7dd3963232", "value": "https://unit42.paloaltonetworks.com/high-risk-gen-ai-browser-extensions/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950029", "to_ids": false, "type": "text", "uuid": "4a6f6fe0-03d3-4dd9-88b3-cc7896405697", "value": "Researchers discovered 18 malicious AI browser extensions masquerading as productivity tools that deliver remote access trojans, meddler-in-the-middle attacks, and infostealers. These extensions exploit the rise of generative AI to target prompts, user behavior, and browser sessions through API interception, passive DOM observation, traffic proxying, and HTTPS response decryption. Examples include extensions that surveil emails during composition, intercept ChatGPT prompts, and exfiltrate passwords. Multiple samples contained AI-generated code indicating threat actors employed large language models to accelerate production. Google removed or issued warnings for all 18 reported extensions. These malicious tools specifically target sensitive data including AI API keys, authentication credentials, email content, and proprietary session information by exploiting user trust in AI-branded applications." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950029", "to_ids": false, "type": "text", "uuid": "95ba04be-b5c2-49b0-ad8f-ac98a98e2875", "value": "Name: That AI Extension Helping You Write Emails? It's Reading Them First\nAuthor: AlienVault\nAdversary: \nTags: [\"huiyi\", \"browser extension\", \"genai\", \"remote access trojan\", \"search hijacker\"]\nTgtd countries: []\nMlwr families: [\"Chrome MCP Server\", \"Supersonic AI\", \"Reverse Recruiting\", \"Chat AI for Chrome\", \"AI Photo and Video Editor\", \"Huiyi\"]\nAttack_ids: [\"T1557\", \"T1056.001\", \"T1059.007\", \"T1539\", \"T1036.005\", \"T1547.014\", \"T1204.002\", \"T1176\", \"T1555\", \"T1567\", \"T1185\", \"T1090\", \"T1041\", \"T1566\", \"T1562.001\", \"T1027\", \"T1573\", \"T1132\", \"T1189\", \"T1071.001\"]\nIndustries: []" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209956", "to_ids": true, "type": "domain", "uuid": "dab0d5f7-a3f9-485a-a25b-7499c7db9093", "value": "chatgptforchrome.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950029", "to_ids": false, "type": "vulnerability", "uuid": "bf9e7581-da39-4be7-ab5a-a48e5f475048", "value": "CVE-2025-55182" }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546297", "to_ids": true, "type": "sha256", "uuid": "27e2571e-e186-4bd9-9b4f-c4bdc19808df", "value": "4e38bee33237a8c8b17a2504013e506ca7cbf667a7f68a2d94d75db505c2149f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546299", "to_ids": true, "type": "sha256", "uuid": "e0a1437d-5953-42e1-b390-26687b496ce9", "value": "c9754454efede2dec2fcb856faa40424b8df378706b664a5ae4847fcd0336b53", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209977", "to_ids": true, "type": "url", "uuid": "b02dd352-4dea-4113-b8fb-24d1e217d688", "value": "http://api.reverserecruiting.io/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209998", "to_ids": true, "type": "url", "uuid": "cb81da9a-cf0f-477c-86d6-f6fa211d7702", "value": "http://api.reverserecruiting.io/v1/profile/sync", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210020", "to_ids": true, "type": "url", "uuid": "7a5acfef-9693-41ec-a6cf-3093c26f1e33", "value": "http://banana.summarizer.one/quota", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210041", "to_ids": true, "type": "url", "uuid": "4947034a-8aae-44b0-84ba-4a132e7d35b4", "value": "http://newextensioninstallweb.com/2025", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210062", "to_ids": true, "type": "domain", "uuid": "c373223e-095e-4dca-8e47-8bf84d9577aa", "value": "gosupersonic.email", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210083", "to_ids": true, "type": "domain", "uuid": "f6047571-53e8-416b-b81b-c2c69e740e9b", "value": "newextensioninstallweb.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210104", "to_ids": true, "type": "domain", "uuid": "0c0b0f3e-a03b-4adb-99ee-aba9ffe3a29b", "value": "notionapp.cn", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210125", "to_ids": true, "type": "domain", "uuid": "a591a5c3-03e1-4fef-8ac5-183caae8d8e9", "value": "pic-editor-chromeextension.uno", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210146", "to_ids": true, "type": "domain", "uuid": "c91853d3-a830-46a4-bdab-86a586c051a1", "value": "vomet.ru", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210168", "to_ids": true, "type": "domain", "uuid": "e10fa010-d759-44e6-91c3-ffb5c820a6bc", "value": "xuix.top", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210189", "to_ids": true, "type": "hostname", "uuid": "6b97f443-7738-45a3-a5b8-67a46014f85e", "value": "api.reverserecruiting.io", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210210", "to_ids": true, "type": "hostname", "uuid": "a801f278-8050-4bf3-a034-0acbc0966235", "value": "banana.summarizer.one", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210231", "to_ids": true, "type": "hostname", "uuid": "7079d02c-2c2d-4348-b14a-df8a27721d15", "value": "mcp-browser.qubecare.ai", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Chrome MCP Server - AI Browser Control", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "7676bf48-ca75-43b9-a852-ad9f4f21fde7", "value": "fpeabamapgecnidibdmjoepaiehokgda" }, { "category": "Payload delivery", "comment": "browser cash", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "27b7b39f-4215-4d73-8b24-77765835c4f2", "value": "oaldjcdohhhibelagdhoahbedekfjjjf" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210252", "to_ids": true, "type": "domain", "uuid": "e3f27fd2-860d-46ab-bfb1-24fc5eb8127a", "value": "browser.cash", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Anker AIME Copilot", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "6c857482-a570-4ddf-86de-a389ed2a254f", "value": "nbflcljmdbibeoaipongjgfmbapanipm" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210273", "to_ids": true, "type": "url", "uuid": "f5877716-e39e-46ab-a366-7ae1558ff427", "value": "172.16.18.184:5443/web-info", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Nano Banana", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "2f541356-f47c-4968-932e-3ff205a35913", "value": "ffocfibjgakneigiajpccfcdmomlbapo" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210294", "to_ids": true, "type": "url", "uuid": "99cb7973-d2dc-4121-830e-0c219c8f832d", "value": "banana.summarizer.one/quota", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Text Summarizer", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "4627228b-c6e1-4957-900d-f836385bc976", "value": "npifianbfjhobabjjpfdjjihgbdnbojh" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210315", "to_ids": true, "type": "url", "uuid": "816472cc-c756-45c6-93de-494aa5bf14e7", "value": "ws://158.160.66.115:40000/summary", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Google AI", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "c99cb012-ea14-4dc3-bf27-4997b8fc8bc5", "value": "pfdmleklaejjccgfhoeafapbhkjipcnj" }, { "category": "Payload delivery", "comment": "\u4f1a\u8bd1:\u4e00\u7ad9\u5f0f AI \u7ffb\u8bd1 Agent\uff5c\u5bf9\u7167\u5f0fDeepL\u7ffb\u8bd1\uff5cDeepSeek\u5212\u8bcd\u7ffb\u8bd1\uff5c\u514d\u8d39", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "c070017d-c8d2-412b-9887-26217c1d3897", "value": "dgeiaiglmhdhajbpfbmajaajdlfdinpi" }, { "category": "Payload delivery", "comment": "AI Agent", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "9bb355db-9d4f-421f-a729-5d0c75dcfbd7", "value": "hnppehcgmflfkcdkbkaeemjfngffmeag" }, { "category": "Network activity", "comment": "On port 3130", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "ip-dst|port", "uuid": "ea48a70b-da80-4d8a-aedc-008b899e37a5", "value": "199.80.55.27|3130" }, { "category": "Payload delivery", "comment": "Notion\u4e2d\u6587\u7248", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "8588af30-880b-433e-8ee1-96f1d8ed897f", "value": "ljlhpcabhpjdlcjhbmgjigfceppgabmk" }, { "category": "Payload delivery", "comment": "Notion\u4e2d\u6587\u7248", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "79834846-25bf-4ff0-85d1-e098e6fb1c86", "value": "pdahnbohfcekobflehebdkoemnmmempk" }, { "category": "Payload delivery", "comment": "NotionAI\u63d2\u4ef6", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "1acd8433-b0cc-4911-96fa-30457e03ad29", "value": "jndldoeopjgmpakgmieaeeelhnjnfgkj" }, { "category": "Payload delivery", "comment": "Agent Risk Reminder Remover - CNFans, ACBuy & More", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "15960171-897e-4f15-a6ad-e10322e8b6c3", "value": "bonhfflnjgdbnhcpjemkknlhimceckgb" }, { "category": "Payload delivery", "comment": "Reverse Recruiting - AI Job Application Assistant", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "ad0a638b-a7e2-482d-839c-75bb6f1974c9", "value": "iefpkdilnfhogjbkhgnliaomoldgkdlj" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778210336", "to_ids": true, "type": "url", "uuid": "5129a1ab-9401-451a-abc3-53c269e7712b", "value": "api.reverserecruiting.io/", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Chat AI for Chrome", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "f70ea48d-86e0-4739-b49e-3c3066686df0", "value": "jhhjbaicgmecddbaobeobkikgmfffaeg" }, { "category": "Payload delivery", "comment": "[Redacted]: AI Photo, Video", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "797e8777-e000-4132-858c-75ebf7fa2aa9", "value": "hmkcidjcpomiegnklmplkimmbcbklglb" }, { "category": "Payload delivery", "comment": "Ask AI - GPT chat", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "a486a137-df8f-4e9b-a898-1d7d0d9d6557", "value": "cjmhegifablecgkkncjddcgkjmgoacfd" }, { "category": "Payload delivery", "comment": "Picsart: AI Photo Video Editor", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "d673b720-aafb-425b-9875-b2c9dc356ec1", "value": "dcjfbgppfdokmjgajnnkgdmkdeiloigh" }, { "category": "Payload delivery", "comment": "Supersonic AI", "deleted": false, "disable_correlation": false, "timestamp": "1778204453", "to_ids": true, "type": "chrome-extension-id", "uuid": "bfd186b4-b657-4333-8a7d-ce88b3460f6f", "value": "eebihieclccoidddmjcencomodomdoei" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546287", "uuid": "abf10761-c359-4fa1-a308-3b8b7d9970e3", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546286", "to_ids": true, "type": "md5", "uuid": "79840e64-776f-4581-adf3-aa9cab4c9a1e", "value": "df0e93e8d0587ddf353f4961e05ec872", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546287", "to_ids": true, "type": "sha1", "uuid": "dad53c69-e0bb-4ba8-9386-3e5ae9146f34", "value": "a7852512f08ff87165b3f36192d5cef93515e713", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546287", "to_ids": true, "type": "sha256", "uuid": "78340136-df6e-44ce-b28d-ff137eb42e18", "value": "0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206625", "to_ids": true, "type": "ssdeep", "uuid": "f53a519c-f71b-4e05-8295-6a841f0ca216", "value": "196608:qheV8yPxJDxuxm5Kl/C1liCE9rMkeNoLwTx55El8HVcqyQ1y:DrPxJo+M2JKETv2Scqyky" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206625", "to_ids": false, "type": "size-in-bytes", "uuid": "a3526471-7967-4624-9f5b-901fe63849de", "value": "9488476" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206625", "to_ids": true, "type": "filename", "uuid": "750d506f-3636-4c0d-b68e-a8c0aafb243e", "value": "fpeabamapgecnidibdmjoepaiehokgda.crx" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206625", "to_ids": false, "type": "text", "uuid": "2e3afce3-ca6e-41ba-990f-9274eba12fa3", "value": "Type Description: Google Chrome Extension\nMicrosoft: None\nVT Total Detection:25/60\nFirst Submission:2025-11-04T12:12:10.000000+00:00\nLast Submission:2026-05-04T21:33:31.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546289", "uuid": "8244db42-a07a-4b65-bf2d-739718c6dac2", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546289", "to_ids": true, "type": "md5", "uuid": "1f2d8e2a-1ca5-472e-be76-2650c75a89d9", "value": "c9bbd62d215e3b4957fe29b37d8aa3e2", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546289", "to_ids": true, "type": "sha1", "uuid": "2fb734c2-1058-4c4c-936d-5a6262bfef50", "value": "6c17e01f9df90d9f5e278728229c034fb11e3ead", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546289", "to_ids": true, "type": "sha256", "uuid": "7337b403-972e-45da-ab1b-585643915c68", "value": "604c7aef72892b56ac23ad54744376574239c8f0651e95dd5b6cf540eb70f7c3", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206668", "to_ids": true, "type": "ssdeep", "uuid": "869d86ce-0c26-4152-8224-c3bbe2d456b5", "value": "24576:qkq15uX6dtbAJ3EilF3bJVmN/wEB8kiLIzZ5dVrWKUVrWdaS+Jp:qkCptblildrmZqdIzpVeVdp" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206668", "to_ids": false, "type": "size-in-bytes", "uuid": "bf852c35-35af-4f68-a1bc-047c4d72917c", "value": "1308599" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206668", "to_ids": true, "type": "filename", "uuid": "c5bafc03-6cd9-40b1-a2e5-42e1e31af4f9", "value": "iefpkdilnfhogjbkhgnliaomoldgkdlj.crx" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 08/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206668", "to_ids": false, "type": "text", "uuid": "db60ea4d-94f6-485b-8120-7cbc51db54dc", "value": "Type Description: Google Chrome Extension\nMicrosoft: None\nVT Total Detection:0/61\nFirst Submission:2026-02-27T18:32:09.000000+00:00\nLast Submission:2026-05-04T07:23:33.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546292", "uuid": "c305d508-5691-4910-887b-971fb32b25d4", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546291", "to_ids": true, "type": "md5", "uuid": "ad6420b1-2697-4dac-a5d4-687b17844475", "value": "1bdc82cbfbd3076af84f993df0d34e36", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546292", "to_ids": true, "type": "sha1", "uuid": "478a496f-f0b5-4885-86b4-6831cd50f6e6", "value": "3401c409dd3e1a0b2cdba4ae45e8c99a824215ad", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546292", "to_ids": true, "type": "sha256", "uuid": "d2681cef-cd81-4aeb-9fe1-6e39e05ec9f0", "value": "ac0a312398b3bf6b3d7c5169687ca72f361838bc5a90f2c0dbce2dc8e2094a02", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206690", "to_ids": true, "type": "ssdeep", "uuid": "94616c89-0227-437f-b296-58ee78ca5408", "value": "1536:nAxtzX4yUn0BOZLp+p++WDQhiNDYIJOXu6879nGSYSagD:nCzX5Un0BOZp+p+V04NdJOW8Srai" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206690", "to_ids": false, "type": "size-in-bytes", "uuid": "18a08004-4237-4e4d-8f79-6e360b8b9520", "value": "56948" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206690", "to_ids": true, "type": "filename", "uuid": "96045fc0-5c6e-46eb-b304-e3d2c38752b5", "value": "eebihieclccoidddmjcencomodomdoei.crx" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206690", "to_ids": false, "type": "text", "uuid": "909bf236-3c11-42f2-8b5a-969c3961faa3", "value": "Type Description: Google Chrome Extension\nMicrosoft: None\nVT Total Detection:0/60\nFirst Submission:2026-02-27T18:33:04.000000+00:00\nLast Submission:2026-05-04T06:29:46.000000+00:00" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546295", "uuid": "406962d7-15be-41dc-8bb1-0e2fb67c975b", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546294", "to_ids": true, "type": "md5", "uuid": "3e9b3048-4532-420b-b3ec-67f4fdbfe2fd", "value": "149f15f4497924698fbd62e1625ac0cb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546294", "to_ids": true, "type": "sha1", "uuid": "1f7aa835-6942-444c-96d2-5a4c71de1955", "value": "2bed99903cdd1c037ac92324677ee4523802c96d", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546295", "to_ids": true, "type": "sha256", "uuid": "b6f40138-d56d-4fa3-a07b-e06e4039018f", "value": "dfe307d957724ebe32331f92d53e366b7fa85968a9564c2285c5a0142ac9e1bb", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206733", "to_ids": true, "type": "ssdeep", "uuid": "ca596df4-27ea-4fc1-8739-fa96b05ffa4f", "value": "768:Jhfyu3x8EaxDqSGmbvmNfmDU3zwcKjP6MdaOguQ8BHxu6X:JhfB3xKDqzCmhmDU3zwc7YR/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206733", "to_ids": false, "type": "size-in-bytes", "uuid": "976f101d-e7f1-4be6-9e7e-99c3cb2cb8e1", "value": "40332" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206733", "to_ids": true, "type": "filename", "uuid": "51b546fc-3ed0-482d-9449-4a26f3c01ddf", "value": "jhhjbaicgmecddbaobeobkikgmfffaeg.crx" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 07/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206733", "to_ids": false, "type": "text", "uuid": "77ef588c-2b3a-47c9-8279-65aef079a857", "value": "Type Description: Google Chrome Extension\nMicrosoft: None\nVT Total Detection:0/60\nFirst Submission:2026-05-04T00:04:45.000000+00:00\nLast Submission:2026-05-04T07:23:32.000000+00:00" } ] } ] } }