Cybersecurity researchers at McAfee Advanced Threat Research have uncovered an extremely sophisticated cryptocurrency-stealing malware campaign dubbed “Silent Swap.”
It relies on a malicious browser extension to intercept and modify user clipboards and then swap legitimate cryptocurrency wallet addresses with fake ones.
The bad actors are hunting for Bitcoin (BTC), Ethereum (ETH), XRP, Bitcoin Cash, Dash, as well as other cryptocurrencies.
Silent Swap is different from primitive “crypto clippers” due to its alarming level of sophistication.
The campaign relies on advanced browser manipulation, decentralized command-and-control (C2) infrastructure, and other cutting-edge techniques.
The “Google Notes” disguise
The infection typically begins with the victim downloading unsigned .NET or Golang installers. They are often disguised as free or cracked versions of legitimate software.
The installer then deploys a malicious extension that masquerades as a benign “Google Notes” application.
By tampering with the browser’s configuration files, Silent Swap forcibly sideloads itself into Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, and Opera
Normally, Chromium browsers store security verification data. Silent Swap bypasses this defense by recalculating and updating these security values after injecting its code.
The “Google Notes” extension, which gets installed by uninitiated victims, grants itself invasive permissions.
Server-side wallet mapping
As soon as the extension detects a copied address matching the regex patterns for BTC, ETH, XRP, Bitcoin Cash, or Dash, it does not use a hardcoded replacement. Instead, it queries the attacker’s backend server.
The malicious actors behind Silent Swap also do not hardcode their command-and-control (C2) domains into the malware. Instead, they utilize a technique known as “EtherHiding.”
Silent Swap has a globally distributed infection footprint, with a particularly high concentration of victims in India.






Be the first to comment