- Jaime flagging popular extensions here. My findings/thoughts: 🔹 15ish fresh (this week) domains, each w/ their own extension tie-in. 🔹 Links back to early 2024 extensions, similar abuse, but focused on ad-blocking, AI, youtube, extensions. 🔹 VIBESINT = opportunistic scam. 🧵...
- Infra breakdown: Newest activity is sitting on 149.28.124.84 (🇺🇸 AS 20473 CHOOPA). One of the first related domains on this is ext.linewizeconnect[.]com, which has its root domain sitting on 136.244.115.219 (🇺🇸 AS 20473 CHOOPA). 🔹 Timeline from Validin (h/t @kennethkinion.bsky.social)
- 136.244.115.219 is very similar, with lots of other domains, extension themed, going back to early 2024. I fully expect more pivots can be found with minimal effort. 🔹 IOC List (both): pastebin.com/8vKED1NC 🔹 Heavy Namecheap use for registeringDec 27, 2024 05:47
- Its pretty easy to look into the email, telegrams, and stolen headshots used in this set of activity. I suspect its centered around illicit bulk data collection/selling, but the opportunity for greater impact is obviously high here. 🔹 Nuke these extensions from your networks.
