Stanley MaaS markets malicious Chrome-extension phishing service
Threat Actor Meta
Summary
Hide ▲
Show ▼
Stanley is a malware-as-a-service (MaaS) platform for malicious Chrome extensions that helps operators deliver phishing pages through the browser while keeping the legitimate URL visible in the address bar. It is notable for packaging browser-extension abuse into a subscription service with silent auto-installation for Chrome, Edge, and Brave, full-screen iframe overlays, and controls for victim targeting and persistent C2 polling.
Related Happenings
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/Service
First: 22.05.2026 18:43
Last: 22.05.2026 18:43
Sources 1
About this happening:
Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Versa Networks launches Secure Enterprise Browser to extend SASE policies into the browser workspace
Security Tool/ServiceAbout this happening: Versa Networks **released** a **Secure Enterprise Browser** that extends **SASE policies** directly into the **browser workspace**, giving the company a browser-level control poin...
Chromium JavaScript background RCE flaw
Vulnerability
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/Service
First: 16.04.2026 18:24
Last: 16.04.2026 18:24
Sources 1
About this happening:
**Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Google expands Gemini AI for malicious ad blocking on Google Ads
Security Tool/ServiceAbout this happening: **Google** expanded **Gemini AI** use across its ad platforms to detect and block **malicious ads** in real time, reducing scam and malvertising exposure at scale. The move matter...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
Timeline
-
27.01.2026 01:46 3 articles · 4mo ago
Stanley MaaS for malicious Chrome extensions is disclosed
Initial DisclosureVaronis discloses a new malware-as-a-service named Stanley that markets malicious Chrome extensions designed to pass Google review and reach the Chrome Web Store. The service advertises full-screen iframe phishing overlays that hide the real address bar, silent auto-installation on Chrome, Edge, and Brave, a Luxe Plan with a web panel and publishing support, IP-based victim identification, geographic targeting, on-demand hijacking rules, push notifications in the victim’s browser, and persistent C2 polling with backup domain rotation.
Show sources
- New malware service guarantees phishing extensions on Chrome web store — www.bleepingcomputer.com — 27.01.2026 01:46
- New malware service guarantees phishing extensions on Chrome web store — www.bleepingcomputer.com — 27.01.2026 01:46
- Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access — thehackernews.com — 30.01.2026 15:42