216.73.216.86

Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

· Published 10/01/2025 04:34 · Modified 10/01/2025 08:44

Export JSON

Essential information

Published
10/01/2025 04:34
Modified
10/01/2025 08:44
Tags
2025-01-10 certificate rotation chrome extension domain spoofing phishing
Related entities
66 observables, 14 techniques (mitre), 4 others

Description

A attack targeting a Cyberhaven employee led to the compromise of their Google . The attacker published a malicious version on the Chrome Web Store, active for 24 hours, capable of exfiltrating cookies and session data. Analysis of IP addresses and domains revealed connections to a broader campaign targeting Facebook advertising accounts. A TLS certificate linked previously reported infrastructure to additional connections, suggesting a long-running operation. The infrastructure, primarily hosted on The Constant Company network, showed consistent domain patterns mimicking known organizations and extensions dating back to early 2024. While similarities exist with groups like Savvy Seahorse, further analysis is needed to establish definitive links.

External references