Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates
Malicious Chrome and Firefox browser extensions masquerading as free VPN tools ('VPN Go: Free VPN') were distributed via official extension marketplaces and later updated to include clipboard-stealing functionality. The extensions monitor clipboard contents on a timer, chunk copied text into ~1000-character segments, and exfiltrate data via HTTP GET requests to hardcoded attacker-controlled IP addresses using a /html/continue.php endpoint with uid, part, total, and data query parameters. Both extensions share infrastructure, code patterns, and build artifacts, confirming a common threat actor. The staged update pattern—initial versions functioning as legitimate proxy tools with later versions adding clipboard theft—highlights the risk of extension update supply chain compromise.
- emailzegivati83[@]gmail[.]comDeveloper email listed on Chrome Web Store for the malicious VPN Go: Free VPN extension
- filenamescripts/version.jsMalicious Chrome content script that monitors clipboard via navigator.clipboard.readText() every 500ms, chunks copied text, and forwards to background script for exfiltration
- ip178[.]236[.]252[.]133C2 server for Chrome extension versions 1.1 and 1.2; used for clipboard exfiltration and proxy-location retrieval
- ip178[.]236[.]252[.]161C2 server for Firefox extension version 1.3.3; used for clipboard exfiltration and proxy-location retrieval
- ip77[.]91[.]123[.]187Shared C2 server for Chrome v1.3 and Firefox v1.3.4; used for both clipboard exfiltration to /html/continue.php and proxy-location retrieval from /locations
- sha2562fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2SHA256 hash of malicious Firefox extension XPI v1.3.4; contains clipboard stealer exfiltrating to 77.91.123.187
- sha25643dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56SHA256 hash of malicious Chrome extension CRX v1.1; first confirmed malicious version with clipboard theft
- sha25672fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2SHA256 hash of malicious Chrome extension CRX v1.3; contains clipboard stealer exfiltrating to 77.91.123.187
- sha256b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280cSHA256 hash of malicious Chrome extension CRX v1.2; preserves clipboard theft logic from v1.1
- sha256fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97SHA256 hash of malicious Firefox extension XPI v1.3.3; first Firefox version with clipboard stealer
- urlhxxp://178[.]236[.]252[.]133/html/continue[.]phpClipboard exfiltration endpoint for Chrome v1.1 and v1.2; receives chunked clipboard data via HTTP GET
- urlhxxp://178[.]236[.]252[.]133/locationsProxy-location retrieval endpoint for Chrome v1.1 and v1.2
- urlhxxp://178[.]236[.]252[.]161/html/continue[.]phpClipboard exfiltration endpoint for Firefox v1.3.3; receives chunked clipboard data via HTTP GET
- urlhxxp://178[.]236[.]252[.]161/locationsProxy-location retrieval endpoint for Firefox v1.3.3
- urlhxxp://77[.]91[.]123[.]187/html/continue[.]phpClipboard exfiltration endpoint for Chrome v1.3 and Firefox v1.3.4; receives chunked clipboard data via HTTP GET with uid, part, total, and data parameters
- urlhxxp://77[.]91[.]123[.]187/locationsProxy-location retrieval endpoint for Chrome v1.3 and Firefox v1.3.4
- urlhxxps://telegra[.]ph/Privacy-Policy-12-11-127Privacy policy hosted on Telegraph (low-friction publishing platform) for the malicious VPN Go extensions
Detection / Hunteropenrouter
What Happened
Browser extensions pretending to be free VPN tools were secretly updated to steal everything you copy to your clipboard. The extensions, called 'VPN Go: Free VPN,' were available on both the Chrome Web Store and Firefox Add-ons marketplace and appeared to work as normal VPN tools. However, after installation, updates added hidden code that reads your clipboard every half second to 1.5 seconds and sends copied text—including passwords, API keys, and cryptocurrency wallet addresses—to attacker-controlled servers. Anyone who had these extensions installed should remove them immediately and change any passwords, tokens, or recovery phrases that were copied while the extension was active. Organizations should review which browser extensions are installed on managed devices and restrict extensions that request clipboard access unless there is a clear business need.
Key Takeaways
- Malicious Chrome and Firefox extensions branded as 'VPN Go: Free VPN' added clipboard-stealing functionality through staged updates, exfiltrating copied data to hardcoded attacker-controlled IPs over HTTP
- Chrome extension (ID: jgpfgonjjolillilkjfkiddakagkkpoj) and Firefox extension (Gecko ID: [email protected]) share infrastructure, code patterns, and build artifacts indicating a common developer
- Clipboard theft monitors copied text every 500ms (Chrome) or 1500ms (Firefox), chunks data into ~1000-character segments, and sends it to /html/continue.php with uid, part, total, and data query parameters
- All secrets copied while the extension was active—including passwords, API keys, OAuth tokens, MFA codes, and cryptocurrency seed phrases—should be treated as exposed
- Extensions request clipboardRead permission alongside proxy permissions; the VPN functionality is partially functional, serving as cover for the malicious clipboard monitoring
Affected Systems
- Google Chrome browsers with extension jgpfgonjjolillilkjfkiddakagkkpoj installed
- Mozilla Firefox browsers with extension [email protected] installed
- Any system where users copy sensitive data while the malicious extension is active
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Threat actor publishes 'VPN Go: Free VPN' extensions on Chrome Web Store and Firefox Add-ons marketplace with legitimate-looking proxy functionality
- Staged Malicious Update: Later extension versions (Chrome 1.1+, Firefox 1.3.3+) add clipboardRead permission and clipboard-stealing code via updates
- Collection: Content script (Chrome, every 500ms) or background script (Firefox, every 1500ms) reads clipboard via navigator.clipboard.readText(), deduplicates values, and chunks text into ~1000-character segments
- Exfiltration: Chunked clipboard data sent via HTTP GET requests to /html/continue.php with uid, part, total, and data query parameters on attacker-controlled IPs
- Persistence: Functional VPN/proxy capability provides cover for users to keep the extension installed while clipboard theft runs in parallel
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Socket AI Scanner
The article references Socket AI Scanner flagging the extension as malware but does not provide any YARA, Sigma, Snort/Suricata, KQL, SPL, or EQL detection rules. Defensive guidance is limited to threat hunting recommendations for outbound HTTP requests to observed IPs and exfiltration URL patterns.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | EDR products may capture browser network connections to malicious IPs and could flag the extension's HTTP exfiltration traffic. However, clipboard reads occur within the browser process context via JavaScript APIs, which EDR may not specifically monitor. Extension-level telemetry varies significantly across EDR vendors. |
| Network Visibility | High | Exfiltration occurs over plaintext HTTP GET requests to hardcoded IPs with distinctive URL patterns (/html/continue.php with uid, part, total, data parameters). Proxy/NGFW logs should capture this traffic if the organization inspects outbound HTTP. |
| Detection Difficulty | Moderate | The exfiltration uses plaintext HTTP to hardcoded IPs with a distinctive URL pattern, making network detection straightforward. However, initial detection of the malicious extension requires inventorying browser extensions and reviewing permission changes, which many organizations do not perform systematically. |
Required Log Sources
- Browser extension inventory and permission logs
- Outbound HTTP proxy logs or NGFW logs
- DNS resolver logs (if IPs resolve via DNS)
- Endpoint network connection logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for outbound HTTP GET requests to /html/continue.php endpoints containing uid, part, total, and data query parameters, as this pattern indicates clipboard exfiltration from the VPN Go extension or related malware | NGFW logs, proxy logs, or any network flow records capturing outbound HTTP traffic | Exfiltration | Low — the specific URL path and parameter combination is distinctive and unlikely to appear in legitimate traffic |
| Consider hunting for browser extensions requesting clipboardRead permission alongside proxy or webRequest permissions, especially when the extension's stated purpose is VPN or proxy functionality | Browser management platform extension inventory, Chrome Enterprise policy logs, or Firefox policy telemetry | Persistence | Medium — some legitimate extensions may request clipboard access alongside network permissions, requiring manual review of the extension's purpose |
| Consider hunting for outbound HTTP connections to the observed IPs (77.91.123.187, 178.236.252.133, 178.236.252.161) from any endpoint, as these are hardcoded C2 infrastructure for the VPN Go clipboard stealer | Firewall logs, EDR network connection events, or SIEM network telemetry | Command and Control | Low — these IPs are specifically identified as attacker-controlled infrastructure |
| Consider hunting for browser extensions that were recently updated to add clipboardRead or all-URLs content script permissions, as the staged malicious update pattern is a key TTP in this campaign | Browser extension management logs, Chrome/Firefox enterprise policy audit logs | Persistence | Medium — legitimate extensions may add clipboard permissions in updates, requiring contextual review |
Control Gaps
- Network controls may not alert on plaintext HTTP exfiltration if the organization does not inspect or block outbound HTTP traffic to non-standard IPs
- Endpoint controls may not inventory or monitor browser extension permissions and updates
- DLP solutions may not capture clipboard data exfiltrated from within the browser process context
- Traditional AV/signature-based detection would not identify malicious behavior in browser extension JavaScript
Key Behavioral Indicators
- Browser extension requesting clipboardRead permission alongside proxy, webRequest, and <all_urls> host permissions
- Content script running at document_start on all URLs in a VPN/proxy extension
- Periodic calls to navigator.clipboard.readText() at 500ms or 1500ms intervals from a browser extension
- Outbound HTTP GET requests to /html/continue.php with uid, part, total, and data query parameters
- Chrome extension manifest containing browser_specific_settings.gecko block (Firefox-specific settings in a Chrome extension indicate shared build process)
- Extension background script constructing URLs from arithmetic expressions to obfuscate C2 IP addresses
False Positive Assessment
- Low — the exfiltration URL pattern (/html/continue.php with uid, part, total, data parameters) and hardcoded IPs are highly distinctive. The combination of clipboardRead permission with VPN/proxy functionality in a browser extension is unusual and warrants investigation. However, legitimate clipboard-management extensions may trigger similar permission-based detections.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider removing the VPN Go: Free VPN Chrome extension (ID: jgpfgonjjolillilkjfkiddakagkkpoj) and Free VPN by VPN GO Firefox extension (Gecko ID: [email protected]) from all managed endpoints immediately if present
- Consider treating any secrets (passwords, API keys, OAuth tokens, MFA codes, cryptocurrency seed phrases) copied while the extension was active as exposed and rotating them
- Consider blocking outbound traffic to 77.91.123.187, 178.236.252.133, and 178.236.252.161 at network controls if supported by your infrastructure
- Consider searching proxy/NGFW logs for historical HTTP GET requests to /html/continue.php with uid, part, total, and data parameters to identify potential prior exfiltration
Infrastructure Hardening
- Consider restricting browser extension installation to an approved allowlist of extension IDs via enterprise browser management policies
- Evaluate whether your browser management policies can block or alert on extensions requesting clipboardRead permission, especially when combined with proxy or webRequest permissions
- Consider implementing network rules to alert on or block outbound plaintext HTTP traffic to non-standard IP addresses
- If applicable, consider reviewing extension update policies to require manual review of permission changes before updates are applied
User Protection
- Consider deploying browser extension inventory tooling across managed endpoints to identify and remove extensions with high-risk permission combinations
- Evaluate whether your EDR or browser management platform can alert when an extension adds clipboardRead or all-URLs content script permissions in an update
- Consider prioritizing review of VPN, proxy, wallet, downloader, coupon, AI assistant, screenshot, and productivity extensions as they commonly request broad permissions
Security Awareness
- Consider incorporating guidance into existing awareness programs about the risks of browser extensions requesting clipboard access, especially VPN or proxy extensions
- Consider reminding users that browser extensions can read clipboard contents without local persistence or shell execution, and that copied secrets are at risk if a malicious extension is installed
- Consider advising users to install extensions only from trusted developers with established reputations and to review requested permissions before installation
MITRE ATT&CK Mapping
- T1176.001 - Software Extensions: Browser Extensions
- T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
- T1204 - User Execution
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1115 - Clipboard Data
- T1027 - Obfuscated Files or Information
- T1071.001 - Application Layer Protocol: Web Protocols
- T1041 - Exfiltration Over C2 Channel
- T1036 - Masquerading
Additional IOCs
- Urls:
hxxp://77[.]91[.]123[.]187/locations- Proxy-location retrieval endpoint for Chrome v1.3 and Firefox v1.3.4hxxp://178[.]236[.]252[.]133/locations- Proxy-location retrieval endpoint for Chrome v1.1 and v1.2hxxp://178[.]236[.]252[.]161/locations- Proxy-location retrieval endpoint for Firefox v1.3.3hxxps://telegra[.]ph/Privacy-Policy-12-11-127- Privacy policy hosted on Telegraph (low-friction publishing platform) for the malicious VPN Go extensions
- File Hashes:
43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56(SHA256) - SHA256 hash of malicious Chrome extension CRX v1.1; first confirmed malicious version with clipboard theftb3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c(SHA256) - SHA256 hash of malicious Chrome extension CRX v1.2; preserves clipboard theft logic from v1.1fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97(SHA256) - SHA256 hash of malicious Firefox extension XPI v1.3.3; first Firefox version with clipboard stealer
- File Paths:
scripts/background.js- Malicious background script in both Chrome and Firefox extensions; handles exfiltration in Chrome and contains full clipboard theft loop in Firefox
- Other:
jgpfgonjjolillilkjfkiddakagkkpoj- Chrome Web Store extension ID for malicious VPN Go: Free VPN extension[email protected]- Firefox Gecko extension ID for malicious Free VPN by VPN GO extension[email protected]- Contact email listed in the privacy policy for the malicious VPN Go extensions11f01e8296a074e6e3b23e9413c51f205d4b6a14146fb4d95bec291d768a9071- Bearer token used for proxy-location API authentication on Chrome v1.1/v1.2 infrastructure (178.236.252.133)7386252b9a86e5357e6aa884326720abf015465a2567e75717830b6688ef05cc- Bearer token used for proxy-location API authentication on Chrome v1.3 and Firefox v1.3.4 infrastructure (77.91.123.187)d7d43e8e8f03afdcaaba85622daf24ced944e7ca4d03ac124fc325d0bb6e3d66- Bearer token used for proxy-location API authentication on Firefox v1.3.3 infrastructure (178.236.252.161)638636692e3eef6c83dbca784a40fb7b6ac95b76d6551a2fbdfebc11588ad8ff- Bearer token used for proxy-location API authentication on Firefox v1.3.4 infrastructure (77.91.123.187)