Rilide Malware: How browser Extensions Affect Online Threats

How Rilide virus strikes via browser extensions:

What's Rilide?

Rilide, also known as LumaC2 and CookieGenesis, is powerful malware discovered in 2023. It targets Chromium browsers to collect user data and control behaviour. Rilide's main feature is misusing its browser extension to launch attacks.

Change to Browser Extension Attacks

Rilide is a sign of a major threat shift. Traditional man-in-the-browser attacks used malware detecting HTML patterns in browser memory and inserting

However, modern assaults using malicious browser extensions like Rilide bypass most of these restrictions. Extensions don't depend on any website, thus they can run in the background. They also have higher rights to access browser-wide resources like cookies and local storage and bypass same-origin restrictions. Extensions give more persistence and control than traditional web injection methods because they work even when no pages are open.

Extensions also impact JavaScript execution context. Conventional injections may have left traces because they ran alongside security tools and web application code. Extensions create two JavaScript environments in addition to the main page context:

Despite its separation from the main page environment, the content script context can access the page document.

As a service worker, the main page environment and content script cannot access the background code context.

Communication between contexts occurs through hidden browser interfaces from page developers. Because much of the extension's action and evidence are designed to be separated, detection will be harder without changes to the original document. Due of extensions' greater control, persistence, evasion, and ease of development, browser threats likely evolved to employ extensions. Modern browser APIs make browser extensions easy to develop due to their extensive built-in functionality and permissions.

Technique: Rilide Uses Extension Elements

Rilide uses browser extension components to simplify its attacks:

The Manifest:

This crucial section describes the extension's functionality and access levels. One Rilide variant posed as a Google Drive plugin. By listing the appropriate rights, the manifest file reveals Rilide's capabilities. Rilide requested these important permissions:

“Scripting”: Injects and runs JavaScript code on web pages.

You can see, change, and delete browser cookies.

Monitor and change browser network requests using “WebRequest”.

“ClipboardRead/Write”: Reading and editing clipboard content.

“ActiveTab”: Temporary tab content access. With the “host_permission” parameter, the extension can access and interact with any browser-supported scheme, domain, path, and port.

Because they run on all URLs at document_start, content scripts start early in page loading. The manifest also establishes rules under “declarative_net_request” to remove specific Content Security Policy (CSP) headers to allow Rilide to insert inline data. Under “background” lies the extension's service worker, where the malware tracks browser events and communicates with the C2 server.

Background.js, background script:

When the extension is installed, this script executes its initialisation code. Chrome.system retrieves CPU, storage, and extension data, while chrome.management retrieves cookies.getAll retrieves all cookies at startup. A unique ID is maintained locally. This data is sent to the C2 server, which may allow the extension to proxy.

Initialisation fetches commands, viral settings, and injections. After enabling CSP removal rules, the background script tracks browser events. The background script includes a unique C2 server domain gathering method. Recurring Google Chrome alarm calls retrieve them from a Telegram bot. If a domain is blocked, the virus can easily switch.

The background script transmits data exfiltration to the C2 server after listening for content script signals like “new-grabber-info,” which contain input element values. For chrome.tabs.captureVisibleTab to capture the visible tab and send the screenshot data to the C2, it listens for “set-screenshot-result” signals. Verify and initiate proxy connections and execute C2 instructions with frequent alarms.

Command script cmds.js:

This script receives calls from the C2 server and returns results. Some intriguing commands are:

“Extension”: Allows ID-based extensions.

“Push” opens a new tab and displays the fetched content in a browser notice.

“Screenshot”: Captures the tab's content.

“History” retrieves browsing history.

“Cookies”: Retrieves all browser cookies.

“URL”: Opens a new tab with a URL. Device details, URL, and extension setup are available in additional instructions. These instructions simplify attacker development by exploiting Chrome extension features and dynamic workflow modifications.

Main.js and Gmail.js are content scripts

These scripts talk to websites.

main.js:

This script starts with jQuery and disguised dangerous code. Injections from the service worker downloaded during initialisation are executed if the URL matches. A clever injection technique leverages the onreset document element to execute a custom reset event immediately, making detection difficult. Also, main.js uses jQuery to create a generic data stealer listener that selects all input elements. It listens for change events on particular elements and accumulates input values like usernames and passwords when the value changes and the element leaves focus. Chrome.runtime.sendMessage sends stolen info to the service worker, who sends it to C2 servers.

Gmail.js:

It targets mail.google, the Gmail mail client page. Its major goal is 2FA authentication request manipulation to hide cryptocurrency theft. The script regularly checks popular bitcoin wallet emails. If emails contain “Withdrawal Request,” it replaces it with “Authorise New Device”. To replace email preview content, it targets span elements with “withdrawal”.

The script determines email body and authorisation code from CSS classes and content. This script replaces the email body's HTML with hardcoded text. The threat actor uses this strategy to make victims interpret withdrawal requests as less suspicious new device authorisations to withdraw cryptocurrency without alerting them. Detecting email body items requires formatting and language, making it unpredictable.

Proxy Capability

Its ability to turn the victim's browser into an HTTP proxy, which may be implemented using extensions, is one of its best capabilities. This functionality lets the attacker route all requests using the victim's credentials and data. This is especially problematic for financial fraud since hackers might utilise the victim's authenticated session to access financial systems and start transactions or change settings without IP address verification.

CursedChrome, an educational proof-of-concept, provided most proxy functions. It uses WebSocket to link the attacker's C2 server to the extension's service worker. The C2 collects results from the victim's cookies, which are utilised to navigate or submit queries. Backend code and administrative UI are available in CursedChrome, exhibiting easiness.

Scale and Indicators The Trusteer research lab found 50,000 hacked user sessions since early 2025, demonstrating the problem. Rilide targets North America, South America, Europe, and Japan as part of its global campaign.

It provides compromise signs like filenames and hashes:

Files: ico.png, crrule.js, exts.js, rules.json, manifest.json, utils.js, historytab.js, notif.js, config.js, content-scriptsApp.html, background.js, main.js, gmail.js, csp.js, exchangeSettings.js, screen.js, domain.js, inj.js, set.js, proxing.js, cmds.js, machine.js, and -register-pol

Zip file extFiles.zip.

Domain statbrwsr.digital

In conclusion, Rilide is an advanced malware that uses browser extensions to gain long-term control, access private data, bypass security measures, and steal cryptocurrency and financial data more covertly than previous web injection methods.

Deewana Lyrics

Singer:AkhilAlbum:Maninder Kailey Teri hi khushbu har jagahKol rahe tu hoke doorPaa nahiyon sakkiyaan jannataan jannataanTere mukhde de warga noor Tu hi mainu dass tainuKhud naal rakhne daLaawan hunn bahaana kehda main, main Naa tere jeha hor milnaAivein ni deewana tera main, mainJe hai vi tan nahiyon chahidaLabban tere ch zamana mera main, main Rabb ne banaake tainuSocheya zaroor honaDuniya…

hai! hello

this is my pet regression blog!! my mainj account is @/chamomilecougar, ill likely follow from there

i pet regress as a coping mechanism for when i feel lonely, distressed, or paranoid!! i have noticed that i sometimes occurs during mental shifts of my feline theriotypes, tho.. :o

i use all pronouns!! it/that are my preference, even when not regressed, but i dont rlly care

ALSO, im rather new to this community. I didn’t even understand pet regression when I started this coping mechanism, so pls correct me if i ever get any terminology/information wrong!!

dni is the basic stuff, everything on my main goes from here.. radqueersj, homophobes or transphobes, proship, abelists, racists etcetc..

im a (domestic) cat and bunny :3

Il y a cette petite mélodie Que chante mon cœur depuis samedi Depuis que sur ton cheval blanc Je t'ai vu cavaler en prince charmantT'es arrivé de si loin Aussi près de mes matins Qui ne sentaient plus rien Avant qu'ils ne prennent ton parfumJe fabriquerais des plus beaux jours Qui parlent d'amour, qui parlent d'amour J'en ferais une cabane tout autour Et des nuits pour t'y faire l'amour Et des nuits pour t'y faire l'amourEt si dans ton palais de glace J'y avais peut-être trouvé une place Comme dans toutes ces villes où l'on passe Où il suffit juste que tu m'enlacesT'es arrivé de si loin Aussi près de mes chagrins Qui s'envolent l'air de rien Dès lors que tu me prends par la mainJe fabriquerais des plus beaux jours Qui parlent d'amour, qui parlent d'amour J'en ferais une cabane tout autour Et des nuits pour t'y faire l'amour Et des nuits pour t'y faire l'amourDe ma bouche à ton oreille percée D'une voix douce ou sur un petit bout de papier Je te laisserai des mots Pour que tu te souviennes, queJe fabriquerais des plus beaux jours Qui parlent d'amour, qui parlent d'amour J'en ferais une cabane tout autour Et des nuits pour Toujours

Keep Politics Out of Mosques in Johor

Crown Prince Tunku Ismail Sultan Ibrahim, who is also the head of the state’s Islamic Religious Council or MAINJ, issued an order prohibiting all mosques and surau (little prayer halls) in Johor from holding any talks or conversations about politics. Following Tuesday’s special meeting of MAINJ, the head of the Johor Islamic Religious Affairs Committee, Mohd Fared Mohd Khalid, was quoted in…

View On WordPress

···

MY GAME TAKES HEAVY INSPIRATION FROM TWO LOCATIONS ONE BEING THE RENDITION OF PRIPYAT IN MODERN WARFEAR

THE GRUNGY STYLE AND DESOLATED LOOK, IM GOING TO USE SOME OF THE MAINJ FEATURES LIKE THE FERRIS WHEEL THIS WILL ESTABLISH A CONNECTION WITH THE PLAYER GIVING THEM MORE OF A FAMILAR FEEL TO THERE ENVIROMENT.

Kobayashi Issa– Haïkus

Un superbe cerf-volantS’est envoléDe la hutte du mendiant Le crapaud ! on diraitQu’il va vomirUn nuage. Tous en ce mondeSur la crête d’un enferÀ contempler les fleurs ! Un coquelicot à la mainJe traverseLa foule. On vieillitMême la longueur du jourEst source de larmes.

View On WordPress

Nurse arrested for insulting Chakwera

Nurse arrested for insulting Chakwera

Malawi Police have arrested a Nurse working at Ntcheu District Hospital for allegedly insulting President Lazarus Chakwera. The nurse has been identified as Chidawawa Mainje aged 39. National Police Deputy Spokesperson, Harry Namwaza, has confirmed the arrest claiming Mainje insulted Chakwera using strong words through a WhatsApp forum. “On April 27, the suspect used obscene and unprintable…

View On WordPress

Terkini, MAINJ Bersihkan Rumah Transit K0.tor DitlnggaIkan Asnaf. – beritasaatini

Terkini, MAINJ Bersihkan Rumah Transit K0.tor DitlnggaIkan Asnaf. – beritasaatini

beritasaatini.online – JOHOR BAHRU: Sebuah keluarga asnaf yang ditempatkan di sebuah rumah transit di Flat Taman Impian Skudai, di sini mninggaIkan kediaman yang disediakan percuma oleh Majlis Agama Islam Negeri Johor (MAINJ) dalam keadaan ko.tor dan menjljikkan. Ketua Penolong Pengarah MAINJ, Khirul Nizam Mat Said berkata, keluarga asnaf bersama sembilan anak terba.bit dibantu sejak tahun 2015…

View On WordPress

Terkini, MAINJ Bersihkan Rumah Transit K0.tor DitlnggaIkan Asnaf. – D Bongkar

Terkini, MAINJ Bersihkan Rumah Transit K0.tor DitlnggaIkan Asnaf. – D Bongkar

JOHOR BAHRU: Sebuah keluarga asnaf yang ditempatkan di sebuah rumah transit di Flat Taman Impian Skudai, di sini mninggaIkan kediaman yang disediakan percuma oleh Majlis Agama Islam Negeri Johor (MAINJ) dalam keadaan ko.tor dan menjljikkan. Ketua Penolong Pengarah MAINJ, Khirul Nizam Mat Said berkata, keluarga asnaf bersama sembilan anak terba.bit dibantu sejak tahun 2015 termasuk ditempatkan di…

View On WordPress

KETETAPAN HARGA FITRAH BAGI NEGERI JOHOR DARUL TA’ZIM TAHUN 1441H / 2020M Jawatankuasa Fatwa Negeri Johor setelah disahkan oleh Majlis Agama Islam Negeri Johor (MAINJ) dan mendapat perkenan Duli Yang Maha Mulia Sultan Johor, telah menetapkan kadar Zakat Fitrah bagi tahun 1441H bersamaan 2020M pada dua kadar harga RM 7.00 (Tujuh Ringgit Sahaja) dan RM10.00 (Sepuluh Ringgit Sahaja). i. RM 7.00 Umat Islam di negeri Johor yang menjadikan makanan hariannya beras daripada jenis Super Tempatan. ii. RM 10.00 Umat Islam di negeri Johor yang menjadikan makanan hariannya beras selain daripada jenis Super Tempatan (Beras Import) seperti Beras Wangi, Beras Basmathi dan lain-lain. Bagi memenuhi keperluan masyarakat menunaikan ibadah zakat fitrah di dalam bulan Ramadan termasuk dalam tempoh Perintah Kawalan Pergerakan (PKP), MAINJ telah menetapkan kaedah pembayaran adalah melalui atas talian (ONLINE) sahaja. Untuk kaedah bayaran zakat fitrah melalui atas talian, MAINJ menyediakan kemudahan seperti berikut: 1. Zakat Johor Online Payment 2. Johor Online Payment 3. SnapNPay Waktu operasi: bermula 1 Ramadan 1441H sehingga 8.00 pagi 1 Syawal 1441H Caj bank sebanyak RM 0.50 dikenakan kepada pemegang akaun untuk pembayaran melalui FPX selain daripada harga zakat fitrah bagi setiap transaksi bayaran. TERIMA KASIH “Pembayaran awal digalakkan bagi mengelak kesesakan capaian ONLINE disaat akhir” Setelah mendapat pandangan dari Majlis Keselamatan Negara (MKN) dan Kementerian Kesihatan Malaysia (KKM) -TIADA BAYARAN ZAKAT FITRAH MELALUI AMIL FITRAH- ©️MAJLIS AGAMA ISLAM NEGERI JOHOR (at Johor Bahru) https://www.instagram.com/p/B_M-CKSJ_K3/?igshid=1liaalfxy8d70

Amil tidak dibenarkan kutip zakat fitrah - Johor

Amil tidak dibenarkan kutip zakat fitrah – Johor

AMIL tidak dibenarkan memungut zakat fitrah termasuk di lokasi tumpuan awam di seluruh negeri Johor.

Urusan pembayaran zakat fitrah boleh dilakukan di pejabat daerah Majlis Agama Islam Negeri Johor (MAINJ) tanpa perlu membuat temu janji.

Pengerusi Jawatankuasa Hal Ehwal Agama Islam Johor, Tosrin Jarvanthi berkata, dalam masa sama Pejabat MAINJ daerah juga mengadakan pejabat bergerak masuk…

View On WordPress

DEER IBRAHIM MURAD IS WAQT PURA KHADAN MERE JISM MAIN MUQAIM HAE MERE MAZAE PAE APNAE MAZAE KO TARJEE DETE HAIN

MERA LAWYER IN KA MAZA MERE JISM PAE CHOOR DETA HAE

Y APNA MAZA MERE SAMNAE RKHTAE HAIN MERA TANN KA MAZAAK URATAE HAIN

HER CHEEZ KI UMEED MJH SAE RHATAE HAIN MJHAEE BEWA KARNAE KI KOSHISH I HAE MERA JEENA HARAM KR DIYA HAE AR RE HUSBAND KA

HARA HAIN MER GHR WALAE MERE LAWYER KAE THROUGH MERI SATR MAINJ HANKTAE HAIN BUUDHAE OAR BURHAE MERA HAQ MARTAE HAIN MAIN AKELI HOAN MRE JISM KA FAIDA UTHATAE HAIN

APNI MOAT KAE NAGMA GATAE HAIN

YEH SAZA KAE HAQ DARR HAIN INHAIN LATAIN OAR GHOSAE MARAE JAEN IN KI ASLI OKAT DARKAR HAE MERE BISTR KO TAMASHA BANAYA HWA HAE MJHAE PAGLOAN KI DAWAI KHILATE HAIN OAR MERA JISM LOTTAE HAIN

JB KAE DAWAI INHAIN KHIANI CHAEE

IN KAE LAWYR DOCTOR MJHAE DAWAIN DETE HAIN DRUGS DAE KAE B GRADE SAE MERE MAMAE CHUSTAE HAIN

Does anyone know anything about JavaScript? Every time I access thepiratebay (in particular) it keeps saying that ‘mainjs’ hasn’t loaded and it doesn’t show me any torrents. Does anyone know how to fix this - and fix it in a way that doesn’t mean I have to try to learn and understand code?

Gilles Gréard – Tarologie et poésie -LE BATELEUR Arcane 1

Gilles Gréard – Tarologie et poésie -LE BATELEUR Arcane 1

Je suis le bateleurarcane numéro un du tarotle premier jour de l’annéele premier de la classele premier qui débute,qui commence,qui démarreun projet, une idée, un conceptarcane numéro un du tarot. je débuteje suis l’éternel apprentien ce jour numéro unje prends ma vie en mainje suis le magicienje suis le magicien de ma viej’ai une baguette en mainje suis le chef d’orchestre de ma vie. je sais…

View On WordPress