Dormant Colors IoC Expansion | WhoisXML API

Threat reports

Dormant Colors IoC Expansion: Don’t Install Browser Extensions from These Domains

A malvertising campaign dubbed “Dormant Colors” has had more than 1 million malicious browser extension installs.1 The threat actors can hijack web searches and inject affiliate links through these extensions.

Building on published indicators of compromise (IoCs)2 related to the campaign, WhoisXML API researchers uncovered:

  • Four name servers common to all of the IoCs
  • 1,500+ domains that shared the IoCs’ name servers
  • 600+ domains that shared the IoCs’ WHOIS details and text strings
  • 200+ domains that shared the IoCs’ IP hosts, registrars, and registrant details
  • Some IoCs and artifacts that hosted similar questionable content 

Get access to our findings and uncover more on your own. Download the report now.

  • [1] https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/
  • [2] https://guardiosecurity.medium.com/dormant-colors-live-campaign-with-over-1m-data-stealing-extensions-installed-9a9a459b5849
Try our WhoisXML API for free
Get started