The Extended Reach of the Extension Trojan Campaign in the DNS | WhoisXML API

Threat Reports

The Extended Reach of the Extension Trojan Campaign in the DNS

The Extension Trojan, which first surfaced in 2021, has made a troubling resurgence in a recent campaign, impacting over 300,000 users globally.1

Researchers have identified 22 indicators of compromise (IoCs) related to the attack earlier this August. But more artifacts could remain in the DNS.

The WhoisXML API research team’s in-depth analysis of the threat led to the discovery of:

  • 84 email-connected domains
  • 28 IP addresses, 24 of which turned out to be malicious
  • 38 string-connected domains

In relation to browser extension abuse similar to what the Extension Trojan did, we also searched for possible signs of typosquatting in the DNS and uncovered more than a hundred domains potentially mimicking the most widely used search browser plug-ins.

Download a sample of the threat research materials now or contact sales to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

  • [1] https://reasonlabs.com/research/new-widespread-extension-trojan-malware-campaign
Try our WhoisXML API for free
Get started