CyberSecurityBoardThreat Intel · CVEs · Products
Malware

Silent Swap Crypto Clipper Uses Fake Google Notes Extension to Replace Wallet Addresses

June 30, 2026

Cybersecurity researchers have flagged an active browser extension campaign designed to steal cryptocurrency by stealthily replacing wallet addresses during transactions. The cryptocurrency clipper activity, codenamed Silent Swap by McAfee Labs, is delivered through unsigned installers in .NET and Golang variants that deploy a malicious Chromium extension masquerading as a benign ‘Google Notes’ utility.

The unsigned .NET installer, named BaseZipInstaller, retrieves a ZIP archive and scans the system for Chromium-based browsers. For each detected profile, it forcibly terminates the browser process and injects the extension by modifying the Secure Preferences and Preferences files. The extension acts as a clipper, intercepting and manipulating wallet addresses copied into the system clipboard to reroute funds to an attacker-controlled wallet.

McAfee Labs noted that the activity overlaps with a prior CountLoader campaign that delivered a crypto clipper, with evidence pointing to the same threat actor behind both clusters. Silent Swap uses a technique called EtherHiding, leveraging the blockchain as a dead drop resolver to retrieve active command-and-control (C2) server details. This allows the attacker to update a smart contract value to point to a new domain without redeploying the malware.

The campaign’s persistence and evasion posture is deliberate and layered, focusing on low visibility and high resilience. Persistence is established by registering the extension via browser Secure Preferences file modifications. The malware also attempts to enable developer mode programmatically in Brave and Opera, and the installer self-deletes after execution. Dynamic wallet substitution fetches replacement addresses from the attacker backend, with a fallback to hard-coded addresses if the backend request fails.

Telemetry data indicates globally distributed infections, with a higher concentration in India, and other impacted countries including the U.S., Brazil, Indonesia, and Spain. As of writing, the Solana address used has a balance of $1,902.45.

Additionally, Socket reported on malicious Chrome and Firefox extensions named ‘VPN Go: Free VPN’ that contain clipboard theft logic, exfiltrating copied text to threat actor-controlled infrastructure. Users are advised to remove these extensions immediately and treat any secrets exposed during their activity as compromised.

CVEs: CVE-2026-20245

Malware: Silent Swap, CountLoader, VPN Go

Companies: McAfee, Socket

Products: Google Notes, VPN Go: Free VPN