Cyberhaven Incident

Incident Updates

Update

Timestamp

Incident Update
At this moment the scope of the compromised extensions seems to be contained, so far a total of 36 compromised Chrome extensions were detected (IOCs at the bottom of the page). We continue to monitor in order to detect further infections / copycat threat actors. We are working closely with affected organizations to help handle compromised users. We offer a briefing on the incident which you can schedule with our team here

We will continue to update as more findings arise.

11:08 UTC January 1st, 2025

New Compromised Extension Finding
Our team detected an additional compromised extension, previously unknown.

‍
- Where is Cookie? 🔴 Not yet addressed
emedckhdnioeieppmeojgegjfkhdlaeo

13:12 UTC December 31th, 2024

New Malicious Extensions Findings
Our team detected 4 more compromised extensions, previously unknown.

‍
- Web Mirror 🔴 Not yet addressed
eaijffijbobmnonfhilihbejadplhddo

- ChatGPT App 🔴 Not yet addressed
lbneaaedflankmgmfbmaplggbmjjmbae

- Hi AI 🔴 Not yet addressed
hmiaoahjllhfgebflooeeefeiafpkfde

- Web3Password Manager 🔴 Not yet addressed
pdkmmfdfggfpibdjbbghggcllhhainjo

6:17 UTC December 31th, 2024

Status Update on Compromised Extensions
Our current status update on the compromised extensions.

- YesCaptcha assistant 🔴 Not yet addressed
jiofmdifioeejeilfkpegipdjiopiekl@1.1.61

- Bookmark Favicon Changer 🟢 Addressed in 5.1
acmfnomgphggonodopogfbmkneepfgnh@4.00

- Proxy SwitchyOmega (V3) 🔴 Not yet addressed
hihblcmlaaademjlakdpicchbjnnnkbo@3.0.2

- GraphQL Network Inspector 🟢 Addressed in 2.22.7
ndlbedplllcgconngcnfmkadhokfaaln@2.22.6

- AI Assistant 🟢 Removed from store
bibjgkidgpfbblifamdlkdlhgihmfohh

- Bard AI chat 🟢 Removed from store
pkgciiiancapdlpcbppfkmeaieppikkk

- ChatGPT for Google Meet 🟢 Removed from store
epdjhgbipjpbbhoccdeipghoihibnfja
‍
- Search Copilot AI Assistant for Chrome 🟢 Removed from store
bbdnohkpnbkdkmnkddobeafboooinpla
‍
- TinaMind 🟢 Addressed in 2.14.0
befflofjcniongenjmbkgkoljhgliihe

- Wayin AI 🟢 Addressed in 0.0.11
cedgndijpacnfbdggppddacngjfdkaca
‍
- VPNCity 🔴 Not yet addressed
nnpnnpemnckcfdebeekibpiijlicmpom

- Internxt VPN 🟢 Addressed in 1.2.0
dpggmcodlahmljkhlmpgpdcffdaoccni
‍
- Vidnoz Flex 🟢 Removed from store
cplhlgabfijoiabgkigdafklbhhdkahj
‍
- VidHelper 🔴 Not yet addressed
egmennebgadmncfjafcemlecimkepcle

- Castorus 🟢 Addressed in 4.41
mnhffkhmpnefgklngfmlndmkimimbphc

- Uvoice 🔴 Not yet addressed
oaikpkmjciadfpddlpjjdapglcihgdle

- Reader Mode 🔴 Not yet addressed
fbmlcbhdmilaggedifpihjgkkmdgeljh

- ParrotTalks 🔴 Not yet addressed
kkodiihpgodmdankclfibbiphjkfdenh

- Primus 🟢 Addressed in 3.20.0
oeiomhmbaapihbilkfkhmlajkeegnjhe

- Keyboard History Recorder 🔴 Not yet addressed
igbodamhgjohafcenbcljfegbipdfjpk

- ChatGPT Assistant 🔴 Not yet addressed
bgejafhieobnfpjlpcjjggoboebonfcg

- Reader Mode 🟢 Removed from store
llimhhconnjiflfimocjggfjdlmlhblm

- Visual Effects for Google Meet 🟢 Addressed in 3.2.4
hodiladlefdpcbemnbbcpclbmknkiaem

- AI Shop Buddy 🔴 Not yet addressed
epikoohpebngmakjinphfiagogjcnddm

- Cyberhaven V3 Security Extension 🟢 Addressed
pajkjnmeojmbapicmbpliphjmcekeaac

- Earny 🔴 Not yet addressed
ogbhbgkiojdollpjbhbamafmedkeockb

- Rewards Search Automator 🔴 Not yet addressed
eanofdhdfbcalhflpbdipkjjkoimeeod

- Tackker 🟢 Addressed
ekpkdmohpdnebfedjjfklhpefgpgaaji

- Sort By 🔴 Not yet addressed
miglaibdlgminlepgeifekifakochlka

- Email Hunter 🔴 Not yet addressed
mbindhfolmpijhodmgkloeeppmkhpmhc

- ChatGPT Quick Access 🟢 Removed from store
didhgeamncokiaegffipckhhcpnmlcbl

16:40 UTC December 30th, 2024

ExtensionTotal Reveals 4 Malicious Chrome Extensions Previously Unknown
Our team found an additional 4 malicious Chrome extensions that are still active and available on the Chrome Web Store, impacting 500,000 users.
IDs --

YesCaptcha assistant 
jiofmdifioeejeilfkpegipdjiopiekl@1.1.61

Bookmark Favicon Changer - 
acmfnomgphggonodopogfbmkneepfgnh@4.00

Proxy SwitchyOmega (V3) - 
hihblcmlaaademjlakdpicchbjnnnkbo@3.0.2

GraphQL Network Inspector - 
ndlbedplllcgconngcnfmkadhokfaaln@2.22.6

13:00 UTC December 30th, 2024

Compromised Chrome Extensions Found
After further investigation, many more Chrome extensions were found to be impacted by the same campaign, their IDs are --
‍

bibjgkidgpfbblifamdlkdlhgihmfohh
pkgciiiancapdlpcbppfkmeaieppikkk
epdjhgbipjpbbhoccdeipghoihibnfja
bbdnohkpnbkdkmnkddobeafboooinpla
befflofjcniongenjmbkgkoljhgliihe
cedgndijpacnfbdggppddacngjfdkaca
nnpnnpemnckcfdebeekibpiijlicmpom
dpggmcodlahmljkhlmpgpdcffdaoccni
cplhlgabfijoiabgkigdafklbhhdkahj
egmennebgadmncfjafcemlecimkepcle
mnhffkhmpnefgklngfmlndmkimimbphc
oaikpkmjciadfpddlpjjdapglcihgdle
fbmlcbhdmilaggedifpihjgkkmdgeljh
kkodiihpgodmdankclfibbiphjkfdenh
oeiomhmbaapihbilkfkhmlajkeegnjhe
igbodamhgjohafcenbcljfegbipdfjpk
bgejafhieobnfpjlpcjjggoboebonfcg
llimhhconnjiflfimocjggfjdlmlhblm
hodiladlefdpcbemnbbcpclbmknkiaem
epikoohpebngmakjinphfiagogjcnddm
pajkjnmeojmbapicmbpliphjmcekeaac
ogbhbgkiojdollpjbhbamafmedkeockb
eanofdhdfbcalhflpbdipkjjkoimeeod
ekpkdmohpdnebfedjjfklhpefgpgaaji
miglaibdlgminlepgeifekifakochlka
mbindhfolmpijhodmgkloeeppmkhpmhc

6:00 UTC December 30th, 2024

Breach revealed
Cyberhaven sent an email to their users informing them that their extension had been compromised after an administrator account pushed a new update with malicious code to the Chrome web store. Read our detailed breakdown about the incident here.

1:00 UTC December 27th, 2024

IOCs

IOC

Type

cyberhavenext[.]pro
gptforbusiness[.]site
ext[.]businessforai[.]com
barefootcontractor[.]com
uvoice[.]live
cyberhavenext[.]pro
primusext[.]pro
ultrablock[.]pro
dearflip[.]pro
parrottalks[.]info
vidnozflex[.]live
wakelet[.]ink
locallyext[.]ink
tinamind[.]info
apple-ads-metric[.]com
aeromexi[.]co
gptforads[.]info
blockforads[.]com
ytbadblocker[.]com
searchcopilot[.]co
geminiaigg[.]pro
blockadsonyt[.]vip
fadblock[.]pro
lltvmarkets[.]com
savgptforchrome[.]pro
bardaiforchrome[.]live
com-freeapps[.]com
gpt4summary[.]ink
searchaiassitant[.]info
artseasy[.]com
savechatgpt[.]site
upwordwave[.]com
yescaptcha[.]pro
videodownloadhelper[.]pro
castorus[.]info
bookmarkfc[.]info
proxyswitchyomega[.]pro
graphqlnetwork[.]pro
iobit[.]pro
internetdownloadmanager[.]pro
searchgptchat[.]info
pieadblock[.]pro
gptdetector[.]live
chatgptextent[.]pro
youtubeadsblocker[.]live
chatgptextension[.]site
remiwantnun[.]com
okta-onsolve[.]com
capitalizerutc[.]com
extensionpolicyprivacy[.]com
policyextension[.]info
extensionpolicy[.]net
checkpolicy[.]site
linewizeconnect[.]com
extensionbuysell[.]com
readermodeext[.]info
adskiper[.]net
aiforgemini[.]com
sclpfybn[.]com
tnagofsg[.]com
kra18[.]com

Domains

149.28.124.84
45.76.225.148
136.244.115.219
149.248.44.88
108.61.23.192
80.240.21.36
45.32.69.11
155.138.253.165
45.77.5.196
144.202.123.86
74.220.199.9
45.32.231.212
149.28.117.236
137.220.48.214
149.248.2.160
199.59.243.227 (Suspicious domain is no longer attached)

IPs

bibjgkidgpfbblifamdlkdlhgihmfohh
pkgciiiancapdlpcbppfkmeaieppikkk
epdjhgbipjpbbhoccdeipghoihibnfja
bbdnohkpnbkdkmnkddobeafboooinpla
befflofjcniongenjmbkgkoljhgliihe
cedgndijpacnfbdggppddacngjfdkaca
nnpnnpemnckcfdebeekibpiijlicmpom
dpggmcodlahmljkhlmpgpdcffdaoccni
cplhlgabfijoiabgkigdafklbhhdkahj
egmennebgadmncfjafcemlecimkepcle
acmfnomgphggonodopogfbmkneepfgnh
mnhffkhmpnefgklngfmlndmkimimbphc
oaikpkmjciadfpddlpjjdapglcihgdle
fbmlcbhdmilaggedifpihjgkkmdgeljh
kkodiihpgodmdankclfibbiphjkfdenh
oeiomhmbaapihbilkfkhmlajkeegnjhe
jiofmdifioeejeilfkpegipdjiopiekl
hihblcmlaaademjlakdpicchbjnnnkbo
ndlbedplllcgconngcnfmkadhokfaaln
igbodamhgjohafcenbcljfegbipdfjpk
bgejafhieobnfpjlpcjjggoboebonfcg
llimhhconnjiflfimocjggfjdlmlhblm
hodiladlefdpcbemnbbcpclbmknkiaem
epikoohpebngmakjinphfiagogjcnddm
pajkjnmeojmbapicmbpliphjmcekeaac
ogbhbgkiojdollpjbhbamafmedkeockb
eanofdhdfbcalhflpbdipkjjkoimeeod
ekpkdmohpdnebfedjjfklhpefgpgaaji
miglaibdlgminlepgeifekifakochlka
mbindhfolmpijhodmgkloeeppmkhpmhc
eaijffijbobmnonfhilihbejadplhddo
lbneaaedflankmgmfbmaplggbmjjmbae
hmiaoahjllhfgebflooeeefeiafpkfde
pdkmmfdfggfpibdjbbghggcllhhainjo
emedckhdnioeieppmeojgegjfkhdlaeo
didhgeamncokiaegffipckhhcpnmlcbl

Chrome extension IDs

Cyberhaven Incident‍Ongoing Updates

Incident Updates

Update

Timestamp

IOCs

IOC

Type

Cyberhaven Incident
‍Ongoing Updates