"The campaign is delivered through unsigned installers – observed in both .NET and Golang variants – that deploy a malicious Chromium extension masquerading as a benign 'Google Notes' utility," McAfee Labs said in a technical report shared with The Hacker News.
Silent Swap delivery: unsigned installers and a fake 'Google Notes' extension
McAfee Labs has codenamed the operation Silent Swap. Researchers observed two installer families — an unsigned .NET installer identified as BaseZipInstaller and variants written in Golang — that fetch a ZIP archive used to build a malicious Chromium extension. The extension poses as a benign "Google Notes" utility and requests broad privileges, including clipboard access, "all URLs," and browsing history.
How the extension gets installed and how it hides
The installers locate Chromium-based browsers (examples named in telemetry include Google Chrome, Microsoft Edge, Brave, and Vivaldi) and, for every detected profile, forcibly terminate the browser process and modify the Secure Preferences and Preferences files to register the malicious extension. McAfee explains the malware recalculates and updates stored security verification values (hash/HMAC) after tampering, allowing the browser to accept the change as legitimate and load the extension silently without using the normal web-store installation flow.
To make this possible on newer browser builds, the campaign depends on enabling developer mode — a setting that the report says a threat actor can achieve through social engineering. Persistence is established by altering Secure Preferences so the extension is loaded on subsequent launches. The installer then self-deletes after execution, removing an indicator of initial compromise.
EtherHiding: using the blockchain as a dead-drop resolver
Silent Swap uses a technique McAfee calls EtherHiding that treats the blockchain as a dead-drop resolver. Instead of baking a static command-and-control (C2) domain into the malware, the operator updates a smart contract value on-chain to point to a new active domain. That lets the attacker rotate or change the C2 by changing the contract value rather than redeploying malware binaries, McAfee said — a resilience strategy the report highlights as a departure from fragile, hard-coded domains.
Dynamic wallet substitution and attack economics
The core theft mechanism is a clipper: the extension intercepts wallet addresses copied to the system clipboard and substitutes an attacker-controlled address so funds are rerouted when a victim pastes an address during a transaction. For Bitcoin, Ethereum, Bitcoin Cash, Ripple, and Dash address patterns, the system sends the intercepted address to the attacker backend and receives a dynamically chosen replacement; McAfee notes the server maintains a deterministic one-to-one mapping — re-submitting the same original returns the same replacement. Solana addresses, by contrast, are all resolved to a single attacker-controlled address; that Solana address was found to hold a balance of $1,902.45 as of the report.
If the backend lookup fails, the extension falls back to a predefined hard-coded wallet, ensuring continued malicious operation. McAfee links Silent Swap to an earlier CountLoader campaign that delivered a crypto clipper and says evidence points to the same threat actor behind both clusters.
Geography, victims, and collateral risks
McAfee's telemetry shows infections distributed globally with a higher concentration of victims in India and additional impacts in the U.S., Brazil, Indonesia, and Spain. Because most blockchain transactions are irreversible, an address swap can cause permanent financial loss. The report frames Silent Swap as a concise example of evolving consumer-targeted crypto theft: static attacker addresses have been replaced with server-side per-victim mappings and fragile C2 domains have been replaced with blockchain-resolved lookups that can be rotated with a single transaction.
Related clipboard-stealing extensions: Socket's findings on "VPN Go: Free VPN"
Parallel to Silent Swap, Socket researchers Kirill Boychenko and Kush Pandya reported malicious Chrome and Firefox extensions named "VPN Go: Free VPN" that present visible proxy functionality while also containing clipboard-theft logic. The extensions staged a benign storefront release and later introduced clipboard exfiltration in updates. Chrome versions 1.1 and 1.2 exfiltrated clipboard data to 178.236.252[.]133, while version 1.3 switched to 77.91.123[.]187. The Firefox extension introduced clipboard theft in 1.3.3 sending to 178.236.252[.]133 and moved to 77.91.123[.]187 in 1.3.4.
Socket warned that the clipboard monitor siphons not only wallet addresses but also passwords, authentication codes, API keys, OAuth tokens, and seed phrases. The extensions' proxy capability can route browser traffic through attacker-supplied infrastructure, exposing plaintext HTTP traffic and connection metadata while the clipboard monitor runs.
Socket's guidance: users who installed these extensions should remove them immediately and treat any secrets entered while the extension was active as compromised.
Silent Swap combines file-system manipulation, browser-setting forgery, blockchain-based C2 resolution, and dynamic address substitution to lower the cost and increase the flexibility of crypto theft operations. The combination — a fake extension with clipboard access, deterministic server-side address mapping, and an on-chain pointer to C2 — allows an operator to maintain long-running, low-visibility fraud infrastructure that is easy to rotate and hard to analyze without the backend or contract state.
