In early 2025, cybersecurity researchers uncovered a widespread campaign that infected over 700 users across Latin America with malicious browser extensions targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, and Brave. This attack highlights an urgent concern for online security, especially among small business owners and everyday internet users who rely heavily on web browsers for communication and financial transactions.
How the Attack Unfolded
The campaign began with targeted phishing emails disguised as seemingly legitimate invoices. These emails encouraged recipients to open attachments or click embedded links that initiated a multi-stage infection process. The key stages included:
- Batch Script Execution: The attached files contained batch scripts that launched a PowerShell script on the victim’s system.
- Environment Checks: The PowerShell script checked if it was running inside virtual machines and searched for security software such as Diebold Warsaw, a plugin commonly used in Brazilian banking and e-commerce to safeguard transactions.
- Persistence and Control: The script disabled Windows User Account Control (UAC), set up mechanisms to run automatically on reboot, and connected back to a remote server to await commands.
The Malicious Browser Extension: What Does It Do?
The extension, once installed, could execute malicious JavaScript code on pages associated with Banco do Brasil, a major bank in Brazil. It steals user authentication tokens and sends them to attacker-controlled servers. Additionally, it can display deceptive loading screens or malicious QR codes to deceive victims further. This clever functionality points to a sophisticated operation focused on banking credential theft.
Scope and Distribution Methods
The malicious extensions were downloaded over 700 times from countries including Brazil, Colombia, Mexico, Russia, Vietnam, and the Czech Republic, affecting at least 70 unique companies and numerous regular users. Attackers also leveraged remote access software installers like MeshCentral Agent and PDQ Connect Agent, disguising their payloads to widen their reach discreetly.
Why Small Businesses Should Be Concerned
Small businesses often depend on web browsers for daily operations, including online banking, communications, and cloud services. A malicious extension can compromise sensitive data, lead to unauthorized access, and cause reputational damage. The fact that some phishing emails were sent from compromised organizational servers also highlights risks within corporate environments, making vigilance critical.
Protect Yourself: Best Practices Against Malicious Extensions
- Install Extensions Only from Official Stores: Use trusted sources like the official Chrome Web Store and avoid sideloading browser add-ons.
- Review Extensions Regularly: Periodically check and remove unnecessary or unfamiliar extensions.
- Stay Alert to Phishing Attempts: Always verify unexpected emails, especially those urging you to download files or provide credentials.
- Use Security Software: Employ reputable antivirus and anti-malware tools capable of detecting malicious browser extensions.
- Educate Your Team: Small businesses should train employees to recognize threats and encourage safe browsing habits.
- Leverage Professional Cybersecurity Services: Consider partnering with cybersecurity experts for advanced protection, monitoring, and incident response capabilities.
Our comprehensive cybersecurity solutions can help safeguard your business from emerging threats like malicious browser extensions. Explore our services to strengthen your defenses today.
Conclusion
The rise in malicious browser extension infections across Latin America since early 2025 is a stark reminder that online threats continue to evolve. By understanding attack methodologies and implementing vigilant security practices, small business owners can protect their operations and sensitive data from harm. Staying informed and proactive is your best defense.
Ready to enhance your cybersecurity posture? Contact us to learn how we can assist you in combating these sophisticated cyber threats.