The malware leverages browser extension capabilities to seamlessly integrate with the victim’s browsing experience, making detection particularly challenging for conventional security solutions. A sophisticated malware strain dubbed “Rilide” has emerged as a significant threat to Chrome and Edge browser users, operating as a deceptive browser extension designed to harvest login credentials. Security researchers have discovered this malware in active campaigns targeting corporate and individual users across North America and Europe, with instances of credential theft already reported at several financial institutions and e-commerce platforms. The malware authors have implemented sophisticated obfuscation techniques to bypass browser security checks and extension verification processes. Initial analysis suggests Rilide is primarily distributed through phishing emails containing links to fake browser update notifications or through compromised websites that prompt users to install what appears to be legitimate extensions. Pulsedive analysts identified the malware after tracking unusual data exfiltration patterns from corporate networks, noting that the extension communicated with multiple command and control servers using encrypted protocols. Their investigation revealed that Rilide can capture credentials from over 300 popular websites including banking portals, cloud services, and enterprise applications, making it particularly dangerous for business environments where a single compromised account could lead to lateral movement within networks. Rilide’s infection process begins when the extension is installed, at which point it immediately establishes persistence by creating a background service worker that remains active even when the browser is restarted. Security teams are particularly concerned about Rilide’s advanced evasion capabilities, which include dormancy periods to avoid detection and the ability to detect security analysis environments and alter behavior accordingly. Once installed, the extension requests extensive permissions that enable it to monitor browser activity, intercept form submissions, and establish persistence. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. The malware’s credential theft functionality is implemented in its content script, which injects event listeners for form submissions across all websites.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 25 Mar 2025 09:25:07 +0000