Community
3rd Party AppCyberhavenGoogle Chrom ExtensionGoogle Chrome Web StorePhishingTechnology Sector Campaign

Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign

01/07/2025

Overview

On 27 December 2024, the technology company Cyberhaven reported that an unnamed actor replaced its Google Chrome extension on the Google Chrome Web Store with a malicious version. The actor used a phishing email to compromise a developer’s account via authorizing a malicious third-party application. DomainTools researchers reviewed publicly available information related to this incident and discovered that the Cyberhaven incident is part of a months-long campaign likely attempting to impact multiple companies primarily in the technology sector.

Summary of the Cyberhaven Incident

Cyberhaven’s initial analysis of the incident revealed that the actor sent a phishing email claiming that the recipient’s Chrome extension was at risk of being removed from the Chrome Web Store due to policy violations. A link in the email purported to allow the recipient to acknowledge those policies and avoid removal of the extension. Clicking on the link led the recipient through the process of adding a malicious third-party application named “Privacy Policy Extension” to the recipient’s Google account – a tactic commonly known as OAuth phishing. The malicious application received permissions to publish Chrome Web Store extensions, allowing the actor to replace Cyberhaven’s extension with a new version containing malicious code.    

The malicious code comprised two altered JavaScript files:

  • worker.js: This script contacted the actor-controlled domain, cyberhavenext[.]pro, which served as command and control (C2) for the incident.  The server hosted configuration data, which it stored in Chrome’s local storage and monitored events from the second script, content.js.
  • content.js: This script collected user data from specific websites. The file used in the Cyberhaven incident specifically targeted Facebook-related data such as access tokens, user IDs, account details, business accounts, ad account information, cookies, and user agent strings. The script exfiltrated all compromised data to actor-controlled infrastructure.

Connections to a Broader Campaign

Cyberhaven shared indicators of compromise (IOCs) related to the attack. DomainTools researchers analyzed this information and discovered a large network of infrastructure likely used in similar attacks against other targets. Some of the related domains include:

  • cyberhavenext[.]pro
  • api.cyberhaven[.]pro
  • app.checkpolicy[.]site

The reported C2 domain for the incident, cyberhavenext[.]pro, resolved to the IP address 149.28.124[.]84 which is allocated to the hosting provider Vultr. Passive DNS data in the Iris Investigate platform shows 18 domains resolving to this IP address since 5 November 2024 with the majority beginning to resolve in the last week of December 2024. It is likely that these domains are part of a broader campaign that includes the Cyberhaven incident. This assessment is made with high confidence based on the following factors:

  • IP address overlap – likely related domains resolve to the same IP addresses within close time proximity  
  • Whois similarities – Domains share similarities in whois information: Namecheap registry, registrar-servers[.]com for NS and MX, and use of Let’s Encrypt certificates
  • Domain naming conventions – Domain names spoof specific software products such as AI tools, VPNs, adblockers, and other general web browsing tools.
  • Top Level Domains (TLDs) – Heavy use of .pro TLD along with .live, .info, .com, .net, .ink, and .vip 

Research revealed additional related domains on other Vultr IP addresses:

  • 149.248.2[.]160
  • 136.244.115[.]219
  • 45.76.225[.]148

Data from the urlscan platform shows that some of the related domains hosted configurations similar to that reported by Cyberhaven. For example, urlscan data for the domain internxtvpn[.]pro shows a similarly formatted configuration for targeting data from the ChatGPT platform

{"code":2000,"internxtvpna":"https:\/\/chatgpt.com\/api\/*","internxtvpnb":"https:\/\/chatgpt.com\/public-api\/conversation_limit","internxtvpnc":"chatgpt.com","internxtvpnd":"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","internxtvpne":"backend-api\/me","internxtvpnf":"https:\/\/chatgpt.com","internxtvpng":"https:\/\/chatgpt.com\/backend-api\/compliance","internxtvpnh":"https:\/\/chatgpt.com\/api\/auth\/session","internxtvpni":"auth","internxtvpnk":"https:\/\/chatgpt.com"}

Configuration Recorded by URLscan on 29 December 2024

Urlscan data also shows some of the identified infrastructure hosting credential phishing pages as far back as February 2024. Figure 2 shows a credential phishing page for an unidentified service hosted on admin-set.tkpartner[.]pro (left) and a phishing page likely meant to spoof Facebook’s Business Manager service hosted on tkadmin7.tkv2[.]pro (right). There is not enough evidence to determine how potential victims were directed to these pages or how the actor responsible leveraged compromised credentials. 

Figure 2. Credential phishing pages hosted on infrastructure likely related to that used in the Cyberhaven incident.

Conclusion

It is likely that the Cyberhaven incident was part of a months-long campaign seeking access to sensitive data related to popular web services such as Facebook and ChatGPT. This assessment is made with high confidence based on identified infrastructure, the usage time frame of the infrastructure, and code within the actor’s configuration files. Observed tactics, techniques, and procedures (TTPs) indicate this actor is more likely criminal than state-sponsored.

IOCs

149.28.124[.]84136.244.115[.]219
cyberhavenext[.]pro
graphqlnetwork[.]pro
yescaptcha[.]pro
videodownloadhelper[.]pro
castorus[.]info
bookmarkfc[.]info
uvoice[.]live
iobit[.]pro
primusext[.]pro
yujaverity[.]info
parrottalks[.]info
internxtvpn[.]pro
censortracker[.]pro
vpncity[.]live
wayinai[.]live
readermodeext[.]info
moonsift[.]store		extensionpolicyprivacy[.]com
policyextension[.]info
extensionpolicy[.]net
checkpolicy[.]site
extensionbuysell[.]com
aiforgemini[.]com
blockforads[.]com
ytbadblocker[.]com
geminiforads[.]com
adskiper[.]net
149[.]248[.]2[.]16045.76.225[.]148
Here are the base domains extracted from the provided list:
chatgptextension[.]site
graphqlnetwork[.]pro
tkv2[.]pro
iobit[.]pro
internetdownloadmanager[.]pro
searchgptchat[.]info
pieadblock[.]pro
gptdetector[.]live
castorus[.]info
searchaiassitant[.]info
ultrablock[.]pro
internxtvpn[.]pro
savechatgpt[.]site
tkpartner[.]pro
wakelet[.]ink
yescaptcha[.]pro
videodownloadhelper[.]pro
parrottalks[.]info
proxyswitchyomega[.]pro
bookmarkfc[.]info
dearflip[.]pro
cyberhavenext[.]pro
uvoice[.]live
primusext[.]pro
yujaverity[.]info
censortracker[.]pro
vidnozflex[.]live
extensionpolicyprivacy[.]com
tinamind[.]info
locallyext[.]ink
vpncity[.]live
policyextension[.]info
wayinai[.]live
moonsift[.]store
readermodeext[.]info
checkpolicy[.]site
extensionpolicy[.]net
linewizeconnect[.]com
extensionbuysell[.]com
savgptforchrome[.]pro
bardaiforchrome[.]live
searchcopilot[.]co
chatgptextent[.]pro
youtubeadsblocker[.]live
geminiaigg[.]pro
gpt4summary[.]ink
blockadsonyt[.]vip
chataiassistant[.]pro
savegptforyou[.]live
goodenhancerblocker[.]site		ultrablock[.]pro
proxyswitchyomega[.]pro
dearflip[.]pro
vidnozflex[.]live
wakelet[.]ink
pieadblock[.]pro
locallyext[.]ink
tinamind[.]info

Related Content

3rd Party AppCyberhavenGoogle Chrom ExtensionGoogle Chrome Web StorePhishingTechnology Sector Campaign
Cyberhaven Breach Likely Part of a Long-Term Criminal Campaign
Download Now
Domain HijackingMalwarePhishingSpamSubdomain Takeover
Industrial Spam Network
Download Now
Axigen ThunderbirdBlackBerryC2CloudflareCloudPhishCyber EspionagePakistan NavySloppyLemming
BlackBerry, SloppyLemming, and Guess Who...Cloudflare
Download Now