Fake AI Browser Extensions Stealing Data Through Chrome
Cybercriminals are capitalizing on the growing interest in AI tools by creating malicious Chrome extensions that impersonate popular services, including ChatGPT, Claude, Perplexity, and Meta’s Llama. These extensions trick users by offering AI prompt capabilities directly in the Chrome search bar, but instead of processing those requests through real AI platforms, the data is redirected to attacker-controlled domains. Researchers have identified domains such as chatgptforchrome[.]com, dinershtein[.]com, and gen-ai-search[.]com that are being used to collect prompts and track user behavior. This campaign builds on earlier activity dating back to 2023, when a fake “AI ChatGPT” extension was discovered stealing Facebook credentials, showing how the threat has evolved to become more sophisticated and wide-reaching. The current wave includes at least eight different fake AI-themed extensions promoted through deceptive YouTube videos to drive installations. These extensions manipulate Chrome settings, override the default search engine, and hijack user activity while masquerading as legitimate tools. Once installed, they can steal sensitive information, monitor browsing activity, and, in some cases, capture credentials for social media or other accounts. Users should exercise caution when adding extensions, verify the developer’s credibility on the Chrome Web Store, and regularly audit the installed extensions. For organizations, implementing browser security policies, restricting unauthorized extensions, and monitoring for suspicious traffic to the identified domains are key defenses. This trend highlights how quickly attackers are leveraging AI branding to deceive users and steal data, underscoring the importance of awareness and proactive controls.
Surge in MS-SQL Attacks Deploying XiebroC2
StormShield researchers are reporting a rise in attacks targeting poorly secured Microsoft SQL (MS-SQL) servers, where intruders exploit weak or default credentials to gain unauthorized access. In many cases, attackers begin with something as simple as guessing or brute-forcing weak or default administrator passwords, which remain a common oversight in enterprise environments. Once they gain access, they don’t stop at the database. Attackers have been observed escalating their privileges from the basic account that runs the SQL service to full system-level control, often through tools designed to exploit Windows permissions. With this higher level of access, they can run commands across the server, disable protections, and install additional software without restriction. This has been used to deploy XiebroC2, an open-source command-and-control framework that provides many of the same capabilities as expensive commercial hacking tools, making it a cost-effective but powerful choice for attackers. XiebroC2 gives adversaries an extensive toolkit once installed. It allows remote shell access to run commands, the ability to manage files and processes, network monitoring and packet capture, proxy tunneling to covertly move traffic, and even screenshot capture for spying on user activity. The framework is written in Go, meaning it can run on multiple platforms, which expands its usefulness to attackers. In observed incidents, attackers used PowerShell to pull XiebroC2 directly from public repositories, then configured it to connect back to their control servers over encrypted WebSocket sessions. This communication is designed to be resilient and harder to detect, even if networks experience disruptions or defenders try to block connections. For businesses, the impact of these intrusions is serious: compromised servers can be used as entry points for broader attacks on corporate networks, for data theft, for cryptomining that drains resources, or even as infrastructure for further criminal campaigns. Defenders should be on alert for repeated failed SQL login attempts, the presence of privilege-escalation tools, unexplained PowerShell downloads, or unusual outbound connections, as these are strong signs of compromise.
APT35 Expands Phishing Operations With Fake Video Conferencing Platforms
Stormshield CTI analysts recently identified two active phishing servers tied to APT35, an Iranian state-sponsored espionage group also tracked as Charming Kitten and Mint Sandstorm. This group has been active for years, stealing login credentials from government, military, academic, and media organizations across the US, Europe, and the Middle East. In their latest campaign, APT35 is setting up fake websites that imitate video conferencing platforms to trick victims into entering their usernames and passwords. Some of the spoofed domains discovered include meet.go0gle[.]online and meet[.]video-connect[.]online, which appear to be related to services people already trust and use. By mimicking collaboration platforms, attackers aim to catch their targets off guard during routine activities, turning something as ordinary as a meeting invitation into an entry point for espionage. What makes this campaign stand out is both its persistence and its predictability. Researchers found dozens of domains linked to APT35, many of which were registered only weeks ago, indicating the group’s ongoing investment in building infrastructure that appears legitimate on the surface. Analysts identified repeating patterns, including distinctive webpage templates and recurring subdomain names, that provide defenders with opportunities to spot and disrupt their activity early. The investigation also found that many of these malicious sites included tracking features, designed to monitor who clicks and interacts with the links. The ultimate goal is to harvest credentials that could be used to access sensitive email accounts, internal systems, or government portals. While the techniques are not technically advanced, they continue to be effective because they leverage trust in familiar platforms. For organizations in sensitive sectors, awareness and early detection of these themed phishing sites are critical to stopping APT35 from gaining a foothold.
