GhostAd: The Silent Browser Extension Attack Draining Crypto Wallets on macOS and Windows

Aegiron 11 mins0

Executive Summary

The GhostAd Crypto Drain campaign is a financially motivated malware operation targeting browser-based cryptocurrency wallets on macOS and Windows. The campaign abuses malicious browser extensions, trojanized extension updates, and developer tooling to silently steal wallet credentials and manipulate transactions in real time.

Unlike traditional malware, GhostAd does not rely on exploits or privilege escalation. Instead, it weaponizes user trust, browser extension permission models, and supply-chain weaknesses. Victims typically approve transactions believing them to be legitimate, only to discover assets have been irreversibly drained.

The campaign impacts individual users, Web3 developers, startups, and organizations that allow browser wallet usage on corporate or BYOD endpoints.

Affected Platforms & Technologies

Operating Systems

  • macOS (Intel & Apple Silicon)
  • Windows 10 / Windows 11

Browsers

  • Google Chrome
  • Microsoft Edge
  • Brave
  • Other Chromium-based browsers

Targeted Assets

  • Browser wallet extensions (hot wallets)
  • Wallets connected to hardware devices via browser UI
  • Developer wallets used for testing and deployment
  • Web3 session tokens and approvals

How the Attack Works (Kill Chain)

1. Initial Delivery

GhostAd achieves initial access through social engineering and supply-chain abuse, not exploitation.

Attack vectors include:

Fake Wallet Extensions

  • Malicious extensions published under names that closely resemble real wallets or wallet utilities.
  • Examples include “Wallet Helper”, “Gas Optimizer”, “Transaction Simulator”, or “Web3 Connector”.
  • Icons, branding, documentation, and screenshots are copied from legitimate wallets.
  • Some extensions include limited real functionality to avoid suspicion.

Malicious Developer Tools

  • Extensions marketed as:
    • Code formatters
    • Themes
    • Framework helpers
    • Productivity tools
  • These are heavily used by developers, who are high-value targets due to wallet access.
  • Wallet-stealing logic is hidden inside background scripts.

Trojanized Updates

  • Previously legitimate extensions are updated with malicious JavaScript.
  • Attackers compromise developer accounts or build pipelines.
  • The malicious update is pushed silently via browser auto-update.

Third-Party Extension Marketplaces

  • Extensions distributed through unofficial or alternative marketplaces.
  • Often used by developers seeking niche tooling.

Phishing Pages

  • Victims are redirected to pages prompting them to:
    • “Fix” a wallet issue
    • “Recover” a wallet
    • “Update” a wallet extension
  • These pages deliver malicious extensions directly.

The extensions appear functional and professional, which significantly reduces suspicion.

2. Installation & Permission Abuse

Once installed, the extension requests permissions that appear normal for wallets:

  • Read and modify all website data
  • Access browser tabs
  • Access clipboard
  • Communicate with cooperating websites
  • Run background scripts

Users approve these permissions because legitimate wallets require the same access.

Internally, the extension registers:

  • Background scripts
  • Content scripts injected into wallet pages
  • Event listeners for DOM and transaction activity

3. Persistence

GhostAd persistence operates at both browser and OS levels.

On macOS

  • LaunchAgents (~/Library/LaunchAgents/)
  • Hidden AppleScript or shell scripts
  • Background helper binaries
  • Reinstallation logic triggered on browser restart
  • Ad-hoc or stolen code-signing certificates

Artifacts commonly appear in:

~/Library/Application Support/
~/Library/Containers/
~/Library/Preferences/

On Windows

  • Registry Run keys
  • Scheduled Tasks
  • Hidden directories under:
%AppData%\Local\
%LocalAppData%\Temp\

Browser-level persistence may occur via synced browser profiles, causing reinfection across devices.

The extension may appear removable, but supporting components reinstall it silently.

4. Wallet Discovery & Monitoring

After persistence, the malware enters a passive reconnaissance phase.

Actions include:

  • Enumerating installed wallet extensions by extension ID
  • Detecting wallet UI DOM elements
  • Hooking JavaScript APIs used by wallets
  • Monitoring clipboard for cryptocurrency addresses
  • Watching for wallet unlock and transaction signing events

The malware avoids aggressive behavior during this phase to reduce detection.

5. Credential & Secret Theft

When opportunities arise, the malware steals sensitive data, including:

  • Seed phrases entered during wallet recovery
  • Private keys exposed in memory
  • Encrypted keystore files
  • Wallet unlock passwords
  • Transaction signatures
  • Session tokens and approvals

Data is exfiltrated over HTTPS and disguised as:

  • Analytics traffic
  • Ad network telemetry
  • Error reporting

Payloads are often base64-encoded or lightly encrypted.

6. Transaction Hijacking

This is the most damaging stage.

Techniques include:

  • Replacing destination addresses at signing time
  • Modifying transaction payloads before submission
  • Injecting additional approval transactions
  • Triggering drains immediately after wallet unlock

The wallet UI often shows a legitimate transaction, while the actual signed payload routes funds to attacker-controlled addresses.

Victims believe they approved a normal transaction.

7. Monetization & Cleanup

Stolen assets are rapidly:

  • Split across multiple addresses
  • Bridged across blockchains
  • Routed through mixers or high-liquidity exchanges

To reduce forensic visibility, the malware may:

  • Clear local logs
  • Disable itself
  • Remove temporary files
  • Go dormant until reactivated

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

7185a439005033b45b48294b302973898e68d8c898003f98acc275b27948ad40
a039c862807a14482169db0db5904749b7e5d733807418430d1cc3c2e3724f96
ebd4365923964218caa24c9f88f009aefa7f1427a20f0f02927c98285734dae5
13805e77fb44a5a5af829f13ee494b9cfc4d5c9b470d51014cd506bd40c57426
91eb6afb903b2155246cb64289b4c2554922e0472fb355091843e0138c91a114

Known Malicious / Suspicious Extensions

studio-velte-distributor.pro-svelte-extension
cudra-production.vsce-prettier-pro
puccin-development.full-access-catppuccin-pro-extension

File System Artifacts

macOS

~/Library/LaunchAgents/*.plist
~/Library/Application Support/<random>/
~/Library/Containers/<random>/

Windows

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
%AppData%\Local\<random>\

Behavioral Indicators

  • Clipboard crypto addresses changing unexpectedly
  • Wallet balances drained immediately after unlock
  • Browser extensions reinstalling after removal
  • Unexpected transaction approvals
  • Browser processes making unusual outbound HTTPS connections

Detection Logic

Recommended Log Sources

  • Endpoint EDR telemetry
  • Windows Security & Sysmon logs
  • macOS Unified Logs
  • Browser extension inventory logs
  • Proxy, DNS, and firewall logs

Splunk Queries

Known Hash Detection

index=endpoint FileHash IN (
"7185a439005033b45b48294b302973898e68d8c898003f98acc275b27948ad40",
"a039c862807a14482169db0db5904749b7e5d733807418430d1cc3c2e3724f96",
"ebd4365923964218caa24c9f88f009aefa7f1427a20f0f02927c98285734dae5",
"13805e77fb44a5a5af829f13ee494b9cfc4d5c9b470d51014cd506bd40c57426",
"91eb6afb903b2155246cb64289b4c2554922e0472fb355091843e0138c91a114"
)

Suspicious Extension Installation

index=endpoint EventType="BrowserExtensionInstalled"
| search ExtensionName="*wallet*" OR ExtensionName="*dev*"

Microsoft Sentinel (KQL)

Hash Detection

DeviceFileEvents
| where SHA256 in (
"7185a439005033b45b48294b302973898e68d8c898003f98acc275b27948ad40",
"a039c862807a14482169db0db5904749b7e5d733807418430d1cc3c2e3724f96",
"ebd4365923964218caa24c9f88f009aefa7f1427a20f0f02927c98285734dae5",
"13805e77fb44a5a5af829f13ee494b9cfc4d5c9b470d51014cd506bd40c57426",
"91eb6afb903b2155246cb64289b4c2554922e0472fb355091843e0138c91a114"
)

Suspicious Browser Traffic

DeviceNetworkEvents
| where InitiatingProcessFileName in ("chrome.exe","msedge.exe","brave.exe")
| where RemoteUrl !contains "google"
| where RemoteUrl !contains "microsoft"

Industries & Organizations Impacted

Directly Impacted

  • Cryptocurrency traders
  • Web3 developers
  • DeFi users
  • NFT creators and marketplaces

Indirectly Impacted

  • Blockchain startups
  • Software development firms
  • Organizations allowing personal wallets on corporate devices
  • Companies with permissive BYOD policies

High-Risk User Profiles

  • Developers installing many extensions
  • Users managing multiple wallets
  • Individuals using hot wallets for large balances
  • macOS users assuming platform immunity

Key Takeaway

GhostAd succeeds because it looks legitimate, behaves quietly, and exploits trust.
As long as browser wallets remain central to Web3 workflows, malicious extensions will remain one of the most dangerous and least detected attack vectors.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.