A new malware-as-a-service called Stanley promises Chrome extensions that can pass Google review and publish full-screen phishing overlays to the Chrome Web Store, a technical analysis by Varonis found. The report did not state when the service began operating.
KEY FACTS
- Incident New MaaS offering named Stanley markets malicious Chrome extensions
- Technique Full-screen iframe overlays hide phishing content while address bar shows the real site
- Capabilities Silent auto-install on Chrome, Edge, and Brave and persistent C2 polling
- Distribution Paid tiers up to a Luxe plan that offers a web panel and publishing support
Stanley overlays a webpage with a full-screen iframe that displays attacker-controlled phishing content while the browser address bar continues to show the legitimate domain.
The extension can push browser notifications and enable or disable hijacking rules from an operator panel. It supports IP-based victim identification and geographic targeting across sessions and devices.
Operators can access multiple subscription tiers. The most expensive Luxe plan includes a web panel and full support for publishing the malicious extension to the Chrome Web Store.
The extension performs persistent command and control polling about every 10 seconds and can rotate backup domains for resilience. The code reportedly uses simple techniques and contains rough elements such as Russian comments and empty error handlers.
WHY IT MATTERS
Extensions that bypass store review can reach many users under a trusted publisher label. Users should limit installed extensions, read reviews, and verify publisher trustworthiness to reduce risk.