The Initial Lure and DLL Side-Loading Phase
The campaign begins with targeted email lures designed to exploit typical business workflows. In observed cases, the attackers distribute phishing emails disguised as standard commercial invoices. The attached archive contains an obfuscated JavaScript file using a deceptive double extension pattern, such as Fattura-2819889242.pfd.js, which mimics a benign document to trick the recipient.
When an unsuspecting user executes the JavaScript payload, the local Windows Script Host (wscript.exe) handles the script, decoding and writing two distinct files directly to the user's temporary directory (%TEMP%):
client_124578.exe: A legitimate, digitally signed binary associated with Epic Games.
d3d11.dll: A rogue, attacker-controlled dynamic-link library designed to exploit binary dependencies.
By executing the signed Epic Games application from the temporary directory, the malware forces the operating system to load the malicious d3d11.dll instead of the system's legitimate graphics driver DLL. This technique, known as DLL side-loading, allows the attacker to execute arbitrary shell code under the guise of a trusted, digitally signed process, making initial endpoint detection difficult for basic antivirus tools.
Enterprise Policy Manipulation and Silent Extension Deployment
Once the side-loaded DLL obtains execution rights, it initiates a hidden PowerShell process to tamper with Chrome's administrative registry structures. In enterprise environments, administrative policies allow central IT teams to force the installation of specific extensions or restrict their sources. The malware abuses these exact administrative mechanisms by writing direct policy overrides to the local Windows Registry.
The PowerShell script target-modifies the following registry paths:
By setting these policy values, the malware permits Chrome to silently download and install extensions from local and unverified locations (specifically setting the allowed source to http://localhost:8080/*). Consequently, Google Chrome is forced to silently load a malicious browser extension named Cloud vn105rkj64, which carries the unique extension identifier gghagmhimhgfeajfdmjkgmmehbokmglg. Because the extension is loaded via enterprise policy, the user is neither prompted for approval nor given the ability to disable or remove the extension manually through the standard browser interface.
Deep Technical Analysis of the Sandbox Escape
Standard Chrome browser extensions run inside a highly restricted, sandboxed environment that isolates them from the local filesystem, network sockets, and other operating system resources. To break out of this sandbox, the malicious extension exploits a legitimate, built-in integration feature known as the Native Messaging API.
The Native Messaging API is designed to let extensions communicate with local desktop applications using a basic standard input and standard output protocol. The malware configures this bridge through the following sophisticated sequence:
1. Compiling the Local Native Host
During the execution phase, the malware invokes the native Microsoft C# compiler (csc.exe) on the compromised system to dynamically build a tailored C# executable from source code dropped to disk. This newly compiled binary acts as the local Native Messaging Host, bypassing typical binary-signature checks since it is compiled locally by a trusted system compiler.
2. Registering the Native Messaging Host
To register the host with Google Chrome, the installer creates a specific registry key under: HKCU ext{Software} ext{Google} ext{Chrome} ext{NativeMessagingHosts} ext{com.vn105rkj64.tr7qprrt7g. This key points directly to a JSON manifest file that defines the local path to the compiled C# executable and whitelists the rogue extension ID (gghagmhimhgfeajfdmjkgmmehbokmglg) as an allowed origin.
3. Bypassing the Sandbox via Bidirectional Messaging
When the Chrome extension initializes, it utilizes the chrome.runtime.connectNative function to establish a connection with the registered host identifier. Chrome launches the local C# host process under the current user's security context and opens a dedicated, bidirectional stdio communication channel. This effectively destroys the browser sandbox: the extension can now send JSON-formatted commands to the local host executable, which translates them into arbitrary PowerShell commands executed directly on the host system.
Enterprise Operational and Identity Risks
Once the browser-to-host execution bridge is established, the threat actors obtain an interactive backdoor with direct system privileges. The extension contacts its Command and Control server at ext2[.]info, sending initial reconnaissance data, system details, active URLs, and stolen browser cookies. This capability facilitates immediate session hijacking, allowing attackers to duplicate active logins for critical corporate portals, cloud platforms, and internal services without triggering multi-factor authentication checks.
If you suspect that your organization's domains or credentials have already been exposed to underground markets via this campaign or similar info-stealing tactics, you should evaluate your current exposure immediately. Free domain exposure scan: Use FemtoSec's Dark Web Scanner to check dark web mentions, compromised account indicators, malware log signals, public breach exposure, and recent underground market activity for your domain. Implementing proactive Dark Web Monitoring is also crucial to alert security teams when employee browser sessions or corporate credentials appear on underground markets.
MITRE ATT&CK Matrix Mapping
The operational techniques used in this campaign align directly with established adversary patterns:
Initial Access: Spearphishing Attachment (T1566.001) and User Execution of a Malicious File (T1204.002).
Execution: Scripting via JavaScript (T1059.007) and PowerShell Command Execution (T1059.001).
Persistence & Evasion: DLL Side-Loading (T1574.002), Registry Tampering (T1112), and Rogue Browser Extensions (T1176).
Credential Access: Web Session Cookie Theft (T1539) to facilitate session hijacking.
Command and Control: Application Layer Web Protocols (T1071.001) utilizing HTTPS channels to the remote C2 server.