ShieldGuard browser-extension data-harvesting malware
Malware Activity
Summary
Hide ▲
Show ▼
A malicious ShieldGuard browser extension was dismantled after it was found harvesting sensitive data from crypto users, putting wallet and account information at risk. The extension targeted Binance, Coinbase, MetaMask, and Google services, and could execute remote code through a C2 server. The activity mattered because it could capture balances, transaction histories, and portfolio data while bypassing normal browser protections.
Related Happenings
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Gmail adds enterprise E2EE on Android and iOS
Security Tool/Service
First: 13.04.2026 11:31
Last: 13.04.2026 11:31
Sources 1
About this happening:
**Google Gmail** now offers **end-to-end encryption (E2EE)** for **enterprise users** on **Android and iOS**, adding a concrete privacy control for mobile email. The rollout matte...
Gmail adds enterprise E2EE on Android and iOS
Security Tool/ServiceAbout this happening: **Google Gmail** now offers **end-to-end encryption (E2EE)** for **enterprise users** on **Android and iOS**, adding a concrete privacy control for mobile email. The rollout matte...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Torg Grabber browser-extension theft activity
Malware Activity
First: 25.03.2026 20:32
Last: 25.03.2026 20:32
Sources 1
About this happening:
The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Torg Grabber browser-extension theft activity
Malware ActivityAbout this happening: The **Torg Grabber** infostealer is actively stealing data from **850 browser extensions**, including **728 cryptocurrency wallet extensions**, which raises the risk of account ta...
Timeline
-
18.03.2026 16:15 2 articles · 2mo ago
ShieldGuard identified as a malicious browser extension and disrupted
Technical Analysis UpdateOkta Threat Intelligence identified ShieldGuard as a malicious browser extension that masqueraded as a crypto security tool, harvested wallet addresses, captured full HTML from Binance, Coinbase and MetaMask after login, tracked users across sessions, targeted Google services, and used obfuscation plus a custom JavaScript interpreter to bypass Chrome security restrictions. Researchers also linked the operators to Radex and noted language indicators suggesting Russian-speaking actors, while Okta and industry partners removed the extension from the Chrome Web Store, took down associated domains, disabled backend infrastructure, and blocked user sign-in functionality.
Show sources
- Crypto Scam "ShieldGuard" Dismantled After Malware Discovery — www.infosecurity-magazine.com — 18.03.2026 16:15
- Crypto Scam "ShieldGuard" Dismantled After Malware Discovery — www.infosecurity-magazine.com — 18.03.2026 16:15