650 Attack Tools, One Coordinated Campaign
Essential information
- Published
- 08/08/2025 17:08
- Modified
- 10/08/2025 21:27
- Tags
- 2025-08-08 browser extensions crypto theft extension hollowing luca stealer lummastealer malware phishing ransomware scam websites
- Related entities
- 111 observables, 1 intrusion sets (apt), 1 techniques (mitre), 5 others
Description
The GreedyBear attack group has launched a massive crypto theft operation, utilizing 150 weaponized Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Their tactics include Extension Hollowing to bypass marketplace security, distributing various malware families, and creating scam sites masquerading as crypto products. The campaign's infrastructure is consolidated to a single IP address, suggesting a centralized backend. The group has expanded from its earlier Foxy Wallet campaign and shows signs of potential growth beyond Firefox. The attackers are leveraging AI to scale their operations, making it challenging for traditional security measures to keep up. The campaign has reportedly stolen over $1 million from victims.