Hackers' Pub

Syntax	Description	Examples
`"` keyword `"`	Finds the string within quotes, including spaces. Case-insensitive. (Escape quotes inside with `\"`)	`"Hackers' Pub"`
`from:` handle	Finds content written by the specified user.	`from:hongminhee` `from:hongminhee@hollo.social`
`lang:` ISO 639-1	Finds content written in the specified language.	`lang:en`
`#` tag	Finds content with the specified tag. Case-insensitive.	`#HackersPub`
condition condition	Finds content that satisfies both conditions on either side of the space (logical AND).	`"Hackers' Pub" lang:en`
condition `OR` condition	Finds content that satisfies at least one of the conditions on either side of the OR operator (logical OR).	`#HackersPub OR "Hackers' Pub" lang:en`
`(` condition `)`	Combines the operators within the parentheses first.	`(#HackersPub OR "Hackers' Pub" OR "Hackers Pub") lang:en`

Yellow Flag @WPalant@infosec.exchange

2/3/2025, 2:23:43 PM

Public

After I published my article on malicious Chrome extensions running remote code I actually got a sample of malicious code for the Download Manager Integration Checklist extension. While somebody went though significant effort to obfuscate it, I managed to analyze all of its functionality: https://palant.info/2025/02/03/analysis-of-an-advanced-malicious-chrome-extension/

This extension turned out to be specializing in ad fraud. Better understanding of its code allowed me to find eight other extensions with very similar malicious functionality and one more that doesn’t appear malicious at the point but still related. Fun fact: the ad company in question appears to be scammed by one of their employees.

Analysis of an advanced malicious Chrome extension

A follow-up to the previous article, this is a technical discussion of the malicious functionality in the Download Manager Integration Checklist extension. I was also able to identify a number of related extensions that were missing from my previous article.

palant.info · Almost Secure

Link author: Yellow Flag@WPalant@infosec.exchange

If you have a fediverse account, you can quote this note from your own instance. Search https://infosec.exchange/users/WPalant/statuses/113940406189169788 on your instance and quote it. (Note that quoting is not supported in Mastodon.)