Wednesday, January 01, 2025

Exposing the Rogue Cyberheaven Compromised Chrome VPN Extensions Ecosystem - An Analysis

Here we go. It appears that the individuals behind the successful compromise of the Cyberheaven VPN Chrome extensions are currently busy or at least have several other upcoming and in the works campaigns targeting several other vendors of Chrome VPN extensions.

The first example is hxxp://censortracker.pro which apparently aims to target the legitimate (hxxp://censortracker.org).

Relate domains:

hxxp://cyberhavenext.pro - 149.28.124.84
hxxp://api.cyberhaven.pro - 149.248.2.160

Parked at 149.28.124.84:
hxxp://graphqlnetwork.pro
hxxp://yescaptcha.pro
hxxp://iobit.pro
hxxp://videodownloadhelper.pro
hxxp://uvoice.live
hxxp://castorus.info
hxxp://bookmarkfc.info
hxxp://cyberhavenext.pro
hxxp://parrottalks.info
hxxp://primusext.pro
hxxp://yujaverity.info
hxxp://internxtvpn.pro
hxxp://censortracker.pro
hxxp://vpncity.live
hxxp://wayinai.live
hxxp://moonsift.store
hxxp://readermodeext.info
hxxp://ext.linewizeconnect.com
hxxp://ussc.intl.justalkcloud.com

Parked at 149.248.2.160:
hxxp://chatgptextension.site
hxxp://api.graphqlnetwork.pro
hxxp://tkadmin9-new.tkv2.pro
hxxp://tkadmin12.tkv2.pro
hxxp://tkadmin9.tkv2.pro
hxxp://tkadmin7-new.tkv2.pro
hxxp://api.iobit.pro
hxxp://api.internetdownloadmanager.pro
hxxp://api.searchgptchat.info
hxxp://api.pieadblock.pro
hxxp://api.gptdetector.live
hxxp://tkadmin12-new.tkv2.pro
hxxp://tkapi8.tkv2.pro
hxxp://api.castorus.info
hxxp://tkadmin8.tkv2.pro
hxxp://tkadmin7.tkv2.pro
hxxp://api.searchaiassitant.info
hxxp://tkapi14.tkv2.pro
hxxp://tkadmin14-new.tkv2.pro
hxxp://tkapi13.tkv2.pro
hxxp://tkapi12.tkv2.pro
hxxp://api.ultrablock.pro
hxxp://tkadmin10.tkv2.pro
hxxp://tkadmin13.tkv2.pro
hxxp://api.internxtvpn.pro
hxxp://tkadmin13-new.tkv2.pro
hxxp://tkadmin11-new.tkv2.pro
hxxp://api.savechatgpt.site
hxxp://admin-main.tkpartner.pro
hxxp://api.wakelet.ink
hxxp://tkapi10.tkv2.pro
hxxp://tkadmin14.tkv2.pro
hxxp://tkadmin11.tkv2.pro
hxxp://tkapi9.tkv2.pro
hxxp://tkapi11.tkv2.pro
hxxp://api.yescaptcha.pro
hxxp://api.videodownloadhelper.pro
hxxp://api.parrottalks.info
hxxp://api.proxyswitchyomega.pro
hxxp://api.bookmarkfc.info
hxxp://api.dearflip.pro
hxxp://api.cyberhavenext.pro
hxxp://api.uvoice.live
hxxp://api.primusext.pro
hxxp://api.yujaverity.info
hxxp://api.censortracker.pro
hxxp://api.vidnozflex.live
hxxp://app.extensionpolicyprivacy.com
hxxp://api.tinamind.info
hxxp://admin-set.tkpartner.pro
hxxp://api.locallyext.ink
hxxp://api.vpncity.live
hxxp://app.policyextension.info
hxxp://api.wayinai.live
hxxp://api.moonsift.store
hxxp://api.readermodeext.info
hxxp://app.checkpolicy.site
hxxp://app.extensionpolicy.net
hxxp://api.linewizeconnect.com
hxxp://app.linewizeconnect.com
hxxp://app.extensionbuysell.com
hxxp://api.savgptforchrome.pro
hxxp://api.bardaiforchrome.live
hxxp://admin-new.tkv2.pro
hxxp://api.tkv2.pro
hxxp://api.searchcopilot.co
hxxp://api.chatgptextent.pro
hxxp://api.youtubeadsblocker.live
hxxp://api.geminiaigg.pro
hxxp://api.gpt4summary.ink
hxxp://api.blockadsonyt.vip
hxxp://api.chataiassistant.pro
hxxp://api.savegptforyou.live
hxxp://api.chatgptextension.site
hxxp://api.goodenhancerblocker.site
hxxp://admin.tkv2.pro
hxxp://redeem-p2p.org
hxxp://cdqk.link
hxxp://jokabet.co
hxxp://bc-game.link
hxxp://brunoplay.nl
hxxp://qgxl.link
hxxp://ws9.us
hxxp://t4q.us
hxxp://5kw.us
hxxp://r4o.us
hxxp://e4f.us
hxxp://mfkyb.biz
hxxp://gmpy.info
hxxp://zd4.us
hxxp://cayj.info
hxxp://vnpa.info
hxxp://elzd.info
hxxp://mefq.info
hxxp://afhc.info
hxxp://d4v.us
hxxp://eu1.us
hxxp://ouww.info
hxxp://tczc.info
hxxp://xwgc.info
hxxp://bipe.info
hxxp://bldx.info
hxxp://cw8.us
hxxp://xz9.us
hxxp://4jv.us
hxxp://o1v.us
hxxp://rh0.us
hxxp://v5j.us
hxxp://2vo.us
hxxp://fj6.us
hxxp://6zk.us
hxxp://k0r.us
hxxp://u9c.us
hxxp://g4v.us
hxxp://o7c.us
hxxp://ou2.us
hxxp://c9o.us
hxxp://i1z.us
hxxp://wdia.info
hxxp://j4j.us
hxxp://k9d.us
hxxp://6wu.us
hxxp://lj6.us
hxxp://g4c.us
hxxp://u6b.us
hxxp://j4o.us
hxxp://ah4.us
hxxp://zd8.us
hxxp://c9u.us
hxxp://t8x.us
hxxp://0iz.us
hxxp://8xu.us
hxxp://6od.us
hxxp://8na.us
hxxp://hw4.us
hxxp://s8r.us
hxxp://n1e.us
hxxp://p5c.us
hxxp://e5q.us
hxxp://yo8.us
hxxp://4dw.info
hxxp://d7p.info
hxxp://wy5.info
hxxp://z2q.info
hxxp://k9i.info
hxxp://kztw.info
hxxp://rdwr.info
hxxp://stzb.info
hxxp://hqtb.info
hxxp://jcdy.info
hxxp://hwnr.info
hxxp://ussn.info
hxxp://bfuy.info
hxxp://mhkz.info
hxxp://qoma.info
hxxp://yvbe.info
hxxp://bmpq.info
hxxp://adtw.info
hxxp://qfko.info
hxxp://azpf.info
hxxp://hpme.info
hxxp://kqno.info
hxxp://wkdn.info
hxxp://rzyn.info
hxxp://hhnr.info
hxxp://uqho.info
hxxp://yojy.info
hxxp://uomz.info
hxxp://gocf.info
hxxp://xuix.info
hxxp://irrb.info
hxxp://ehgi.info
hxxp://oqtb.info
hxxp://ezvp.info
hxxp://yevg.info
hxxp://tovo.website
hxxp://uggm.website
hxxp://ajxj.website
hxxp://ayeq.website
hxxp://nepy.website
hxxp://kjnh.website
hxxp://dbgz.website
hxxp://zoxj.website
hxxp://xduk.website
hxxp://xdje.website
hxxp://gpzn.website
hxxp://hxpc.website
hxxp://yemu.website
hxxp://nmfl.website
hxxp://ldiu.website
hxxp://vlei.website
hxxp://bktc.website
hxxp://znkn.website
hxxp://prcu.website
hxxp://vekn.link
hxxp://fswk.website
hxxp://carc.website
hxxp://vgcb.website
hxxp://zqvh.website
hxxp://sqhx.info
hxxp://htct.info
hxxp://qnmy.website
hxxp://stah.info
hxxp://dgwb.info
hxxp://fbro.website
hxxp://bzcr.info
hxxp://kgzg.website
hxxp://uspt.website
hxxp://dhfa.info
hxxp://jbza.website
hxxp://wdhy.website
hxxp://ridp.website
hxxp://lybg.website
hxxp://iktx.info
hxxp://wknj.info
hxxp://ghnt.info
hxxp://gnji.info
hxxp://fvre.info
hxxp://dobb.info
hxxp://qrsw.website
hxxp://xddj.website
hxxp://kgmy.info
hxxp://uthr.website
hxxp://jaer.website
hxxp://yvpr.info
hxxp://nxpj.info
hxxp://pbpp.info
hxxp://zmjp.website
hxxp://njki.info
hxxp://txsz.info
hxxp://isva.website
hxxp://flaa.website
hxxp://tifr.info
hxxp://dijl.website
hxxp://ntft.website
hxxp://yket.info
hxxp://rbft.website
hxxp://unkw.link
hxxp://nujt.link
hxxp://ubpm.link
hxxp://ucre.link
hxxp://mkjc.link
hxxp://hxkp.link
hxxp://itbk.link
hxxp://nqqo.info
hxxp://fwqx.info
hxxp://xwho.info
hxxp://kmic.info
hxxp://fwuf.info
hxxp://hmeq.link
hxxp://fjms.link
hxxp://zrdk.link
hxxp://enym.link
hxxp://vnaj.link
hxxp://caxh.link
hxxp://syzb.link
hxxp://bsve.link
hxxp://spoa.link
hxxp://bmtg.link
hxxp://dgzv.link
hxxp://cqui.info
hxxp://ebwu.info
hxxp://aznx.info
hxxp://lcni.info
hxxp://pcpf.info
hxxp://cped.link
hxxp://mcgz.link
hxxp://obea.me
hxxp://jtnd.me
hxxp://wyxug.com
hxxp://rpveb.com
hxxp://vkvs.link
hxxp://xclw.info
hxxp://chbw.link
hxxp://fwqs.info
hxxp://czek.link
hxxp://cnfs.info
hxxp://uywc.info
hxxp://fsns.link
hxxp://qeeq.info
hxxp://wdss.link
hxxp://niud.info
hxxp://ntzd.info
hxxp://xqvo.info
hxxp://ysga.info
hxxp://yobl.info
hxxp://peez.info
hxxp://anlk.info
hxxp://scwy.info
hxxp://pfhs.info
hxxp://hcki.info
hxxp://rhmj.info
hxxp://llgr.info
hxxp://vpcq.info
hxxp://kovh.info
hxxp://tumb.info
hxxp://nzda.info
hxxp://hxlj.info
hxxp://cvec.info
hxxp://wcyh.info
hxxp://svxu.info
hxxp://qoja.info
hxxp://wkms.info
hxxp://hbfo.info
hxxp://isxd.info
hxxp://dwwu.info
hxxp://ardx.info

Sample malicious MD5s known to have been involved in the campaign include:

b5f4ce10f08c734e7fec0028b0d27695ab9d0976c8250174edf2d7e1700313dc
a66ab39203c41336a04af8018239c292b63b0c7c67f9567b27beeeefc820b894
896108307f58fff94832f2c1c956a0d55e989976f7b438bea5829a18cf9bde8e
00c3eb47451af23873ef5360a9d3496a77b3deab0eb3f53f318d4496a1b093ad
c1bc36b29409c92144ca63a41326b2839299a73bed5cab3b809414fec45e2ee0
45b103f94e846302d00724d0aa8b5b2decb0f07a8a5a91ec38dab222779ed8d3

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)