Stanley MaaS markets malicious Chrome-extension phishing service
Threat Actor Meta
Summary
Hide ▲
Show ▼
Stanley is a malware-as-a-service (MaaS) platform for malicious Chrome extensions that helps operators deliver phishing pages through the browser while keeping the legitimate URL visible in the address bar. It is notable for packaging browser-extension abuse into a subscription service with silent auto-installation for Chrome, Edge, and Brave, full-screen iframe overlays, and controls for victim targeting and persistent C2 polling.
Related Happenings
DuckDuckGo browser rolls out built-in YouTube ad blocking on iOS, Mac, Windows, and Android
Security Tool/Service
H score11
First: 08.07.2026 15:00
Last: 08.07.2026 15:00
Sources 1
About this happening:
DuckDuckGo's browser added **built-in YouTube ad blocking**, reducing interruptions for people watching videos on the standard **YouTube** site. The rollout is enabled by default...
DuckDuckGo browser rolls out built-in YouTube ad blocking on iOS, Mac, Windows, and Android
Security Tool/ServiceAbout this happening: DuckDuckGo's browser added **built-in YouTube ad blocking**, reducing interruptions for people watching videos on the standard **YouTube** site. The rollout is enabled by default...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical Analysis
H score34
First: 25.06.2026 18:00
Last: 25.06.2026 18:00
Sources 1
About this happening:
**Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Bluekit adopts rrweb-based BitM session streaming for login theft
Technical AnalysisAbout this happening: **Bluekit** has added **browser-in-the-middle (BitM)** login theft to its phishing stack, increasing the risk of **session-token theft** and **account takeover**. The mechanism us...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Timeline
-
27.01.2026 01:46 3 articles · 5mo ago
Stanley MaaS for malicious Chrome extensions is disclosed
Initial DisclosureVaronis discloses a new malware-as-a-service named Stanley that markets malicious Chrome extensions designed to pass Google review and reach the Chrome Web Store. The service advertises full-screen iframe phishing overlays that hide the real address bar, silent auto-installation on Chrome, Edge, and Brave, a Luxe Plan with a web panel and publishing support, IP-based victim identification, geographic targeting, on-demand hijacking rules, push notifications in the victim’s browser, and persistent C2 polling with backup domain rotation.
Show sources
- New malware service guarantees phishing extensions on Chrome web store — www.bleepingcomputer.com — 27.01.2026 01:46
- New malware service guarantees phishing extensions on Chrome web store — www.bleepingcomputer.com — 27.01.2026 01:46
- Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access — thehackernews.com — 30.01.2026 15:42