Cyberspies use Google Chrome extension to steal emails undetected

Folks I have warned you stop using Chrome..Firefox with

By Sergiu Gatlan July 28, 2022
A North Korean-backed threat group tracked as Kimsuky is using a malicious browser extension to steal emails from Google Chrome or Microsoft Edge users reading their webmail.

The extension, dubbed SHARPEXT by Volexity researchers who spotted this campaign in September, supports three Chromium-based web browsers (Chrome, Edge, and Whale) and can steal mail from Gmail and AOL accounts.

The attackers install the malicious extension after compromising a target’s system using a custom VBS script by replacing the ‘Preferences’ and ‘Secure Preferences’ files with ones downloaded from the malware’s command-and-control server.

Once the new preferences files are downloaded on the infected device, the web browser automatically loads the SHARPEXT extension.

“The malware directly inspects and exfiltrates data from a victim’s webmail account as they browse it,” Volexity said Thursday.

“Since its discovery, the extension has evolved and is currently at version 3.0, based on the internal versioning system.”

As Volexity further revealed today, this latest campaign aligns with previous Kimsuky attacks as it also deploys the SHARPEXT “in targeted attacks on foreign policy, nuclear and other individuals of strategic interest” in the United States, Europe, and South Korea.

Article (

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient