This $6,000 Malware Service Gets Phishing Extensions Into the Chrome Web Store

Security researchers at Varonis discovered a new malware as a service operation that promises something troubling: guaranteed placement of malicious browser extensions in the Chrome Web Store. Called Stanley after its seller's alias, the service offers a complete phishing toolkit that can steal credentials while showing victims legitimate looking web pages.

How Stanley Works

Stanley's approach is deceptively simple. The malicious extension overlays a full screen iframe containing phishing content on top of legitimate web pages. The victim's browser address bar continues to show the real domain they intended to visit. They see what appears to be a normal login page for their bank, email, or corporate system. In reality, everything they type goes directly to the attacker.

The service supports silent installation across Chrome, Edge, and Brave browsers. Operators can enable or disable hijacking rules on demand through a control panel. They can even push browser notifications to lure victims to specific pages. The extension polls its command and control server every 10 seconds for new instructions and includes backup domain rotation to survive takedowns.

The Business Model

Stanley operates as a subscription service with multiple tiers. The most expensive option, called the Luxe Plan, costs around $6,000 and includes something particularly dangerous: direct support for publishing malicious extensions to the Chrome Web Store. The service claims to know how to get past Google's review process.

Lower tiers provide the malware toolkit without the publishing assistance. For criminals who already have distribution methods, Stanley offers the technical infrastructure. For those who want the full package, the premium tier promises end to end service from extension development to Chrome Web Store placement.

Advanced Targeting Capabilities

The service includes sophisticated victim identification features. Stanley supports IP based identification, allowing attackers to target specific geographic regions or exclude certain areas. It can correlate victims across sessions and devices, building a profile even if someone uses different browsers or clears their cookies.

These capabilities matter because they enable highly targeted attacks. An attacker could deploy a Stanley extension that only activates for users in specific countries or only triggers when detecting corporate network IP ranges. The malware can lie dormant for most users while targeting valuable victims.

Russian Origins

Varonis researchers noted that Stanley's code contains Russian language comments and shows signs of being developed by Russian speaking programmers. The code itself is reportedly rough in places, with empty catch blocks and inconsistent error handling. This suggests a focus on rapid development and deployment rather than polished engineering.

The technical simplicity may actually be intentional. Stanley does not employ advanced techniques. Instead it implements well known attack methods in a straightforward package. The value proposition is not technical innovation but convenience: criminals can run credential theft campaigns without building their own infrastructure.

Why This Matters

Browser extensions represent a significant security blind spot. Users install them trusting that Google's review process catches malicious code. When extensions come from the official Chrome Web Store, most security tools consider them safe. Stanley directly attacks this assumption by promising to defeat the review process itself.

The threat extends beyond individual credential theft. Corporate environments often allow employees to install browser extensions without oversight. A single compromised extension can provide access to every web application the user touches: email, banking, internal corporate systems, customer databases. The attack surface is vast.

How to Protect Yourself

The most effective defense is minimizing browser extension usage. Every extension represents potential risk, even those from the official store. Review your installed extensions regularly and remove any you do not actively use. Be especially suspicious of extensions requesting broad permissions like the ability to read and change data on all websites.

For organizations, consider implementing extension allowlists that restrict which extensions employees can install. Monitor for unusual extension activity and treat unexpected extension installations as potential security incidents. The convenience of browser extensions comes with real costs if one turns out to be malicious.