A malvertising campaign dubbed “Dormant Colors” has had more than 1 million malicious browser extension installs.1 The threat actors can hijack web searches and inject affiliate links through these extensions.
Building on published indicators of compromise (IoCs)2 related to the campaign, WhoisXML API researchers uncovered:
- Four name servers common to all of the IoCs
- 1,500+ domains that shared the IoCs’ name servers
- 600+ domains that shared the IoCs’ WHOIS details and text strings
- 200+ domains that shared the IoCs’ IP hosts, registrars, and registrant details
- Some IoCs and artifacts that hosted similar questionable content
Get access to our findings and uncover more on your own. Download the report now.
—
- [1] https://www.bleepingcomputer.com/news/security/chrome-extensions-with-1-million-installs-hijack-targets-browsers/
- [2] https://guardiosecurity.medium.com/dormant-colors-live-campaign-with-over-1m-data-stealing-extensions-installed-9a9a459b5849