A sophisticated cybercriminal operation known as GreedyBear has orchestrated one of the most extensive cryptocurrency theft campaigns to date, deploying over 650 malicious tools across multiple attack vectors to steal more than $1 million from unsuspecting victims.<\/p>\n
Unlike traditional threat groups that typically specialize in single attack methods, GreedyBear has adopted an industrial-scale approach, simultaneously operating malicious browser extensions, distributing hundreds of malware executables, and maintaining elaborate phishing infrastructure.<\/p>\n
The campaign represents a significant escalation in cybercriminal operations, utilizing over 150 weaponized Firefox extensions, nearly 500 malicious Windows executables, and dozens of fraudulent websites masquerading as legitimate cryptocurrency services<\/a>.<\/p>\n All attack components converge on a centralized command-and-control infrastructure, with domains resolving to the IP address 185.208.156.66, enabling streamlined coordination across multiple threat vectors.<\/p>\n What distinguishes GreedyBear from conventional cybercriminal operations is its systematic approach to scaling attacks using artificial intelligence.<\/p>\n Analysis of the campaign\u2019s code reveals clear signatures of AI-generated artifacts, allowing attackers to rapidly produce diverse payloads while evading traditional detection mechanisms.<\/p>\n Koi Security researchers identified<\/a> this evolution as part of a broader trend where cybercriminals leverage advanced AI tooling to accelerate attack development and deployment.<\/p>\n The threat group\u2019s browser extension strategy employs a sophisticated technique termed \u201cExtension Hollowing\u201d to circumvent marketplace security controls.<\/p>\n Rather than attempting to sneak malicious extensions past initial reviews, operators first establish legitimate publisher profiles by uploading innocuous utilities such as link sanitizers and YouTube downloaders.<\/p>\n After accumulating positive reviews and user trust, they systematically \u201chollow out\u201d these extensions, replacing legitimate functionality with credential-harvesting code while preserving the established reputation.<\/p>\n The weaponized extensions demonstrate remarkable technical sophistication in their credential extraction capabilities.<\/p>\n Each malicious extension targets popular cryptocurrency wallets<\/a> including MetaMask, TronLink, Exodus, and Rabby Wallet by precisely mimicking their authentic interfaces.<\/p>\n The malware<\/a> captures wallet credentials directly from user input fields within the extension\u2019s popup interface, employing JavaScript functions that intercept form submissions before they reach legitimate validation processes.<\/p>\n During initialization, the extensions execute additional surveillance<\/a> functions, transmitting victims\u2019 external IP addresses to remote servers for tracking and potential targeting purposes.<\/p>\n This data collection enables operators to build comprehensive victim profiles while maintaining operational security through distributed infrastructure.<\/p>\n The code snippets reveal standardized credential exfiltration routines across all extensions, suggesting centralized development and deployment protocols that enable rapid scaling of malicious operations while maintaining consistency in attack execution.<\/p>\n Equip your SOC with full access to the latest threat data from\u00a0ANY.RUN TI Lookup<\/strong>\u00a0that can Improve incident response ->\u00a0Get 14-day\u00a0Free\u00a0Trial<\/a><\/strong><\/p>\n The post Biggest Ever GreedyBear Attack With 650 Hacking Tools Stolen $1 Million from Victims<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjPo-a198cZpd3vxa396JB-datZ1a79jctzdL7uQGQnNt-kviByECIjF63oGDecmSLp_fj5m91O94eSpfk7P7Cx9PXgOZWPoh8h20oc5Xv1nNI_ihAdr_XyvkEBB9_jIjBl3DUfRkZA3c9GXNKmwtSM1nmOiPJ4lYfgBwKDFeo0zplO5XYlJp5fx64osqw\/s16000\/Generic%2520extensions%2520uploaded%2520by%2520the%2520attacker%2520before%2520weaponized%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
Advanced Credential Harvesting Mechanisms<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgEN6Afrx51lvtOL80D0MN5G6C7spf3ySmuHDFu3fjUzpxkL6P-bL_KKKUAL9JSiB9XtXNAP6T0EUrX1_HNZlnS1Uj7rPyNqITbZfZwgXY3psTU9s5cQ037rD356Txy2GTSGxwJWx3YZnktFZvvKJ758Va-5UXtJTXy3gnn2yHOtL4n0nLCdFQSw98B-e8\/s16000\/One%2520of%2520the%2520trojans%2520download%2520page%2520from%2520rsload.net%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiRARDD4_ebUN2P-mXPz6PP55Vv_Ugj_-JgFqKRYlkEn3X_Vs5ndqHV9xgwn4Ei2g2p4-FVeWe3WSX6h2akXwbODBAIITXjeD23U77VGrqig5sZ5qZpfBmGJKy0VUjI3q66wd9wuuWh1v8S-kRG9_a9F7Qu9PLOhQINEdFDgz1jvQN6eyo5QT18qgdZ4UY\/s16000\/Wallet-repair%2520services%2520claiming%2520to%2520fix%2520Trezor%2520devices%2520%28Source%2520-%2520Medium%29.webp?ssl=1\")