- The “Google Notes” disguise
- Server-side pockets mapping
Cybersecurity researchers at McAfee Superior Risk Analysis have uncovered an especially subtle cryptocurrency-stealing malware marketing campaign dubbed “Silent Swap.”
It depends on a malicious browser extension to intercept and modify person clipboards after which swap professional cryptocurrency pockets addresses with faux ones.
The unhealthy actors are attempting to find Bitcoin (BTC), Ethereum (ETH), XRP, Bitcoin Money, Sprint, in addition to different cryptocurrencies.
2.6T Shiba Inu (SHIB) Exits to On-Chain Forward of Q3; 3-Month Pattern Saves XRP at $1, Citi Slashes Bitcoin Value Goal by 27% Due to AI – Morning Crypto Report
Bitcoin (BTC), Stellar (XLM), XRP and Hyperliquid (HYPE) Value Evaluation for July 1: Market Should Regain the Basis
Silent Swap is completely different from primitive “crypto clippers” on account of its alarming degree of sophistication.
The marketing campaign depends on superior browser manipulation, decentralized command-and-control (C2) infrastructure, and different cutting-edge strategies.
The “Google Notes” disguise
The an infection sometimes begins with the sufferer downloading unsigned .NET or Golang installers. They’re typically disguised as free or cracked variations of professional software program.
The installer then deploys a malicious extension that masquerades as a benign “Google Notes” utility.
By tampering with the browser’s configuration information, Silent Swap forcibly sideloads itself into Chromium-based browsers, together with Google Chrome, Microsoft Edge, Courageous, and Opera
Usually, Chromium browsers retailer safety verification knowledge. Silent Swap bypasses this protection by recalculating and updating these safety values after injecting its code.
The “Google Notes” extension, which will get put in by uninitiated victims, grants itself invasive permissions.
Server-side pockets mapping
As quickly because the extension detects a copied deal with matching the regex patterns for BTC, ETH, XRP, Bitcoin Money, or Sprint, it doesn’t use a hardcoded alternative. As an alternative, it queries the attacker’s backend server.
The malicious actors behind Silent Swap additionally don’t hardcode their command-and-control (C2) domains into the malware. As an alternative, they make the most of a method referred to as “EtherHiding.”
Silent Swap has a globally distributed an infection footprint, with a very excessive focus of victims in India.

