A deceptive Chrome extension named Safery: Ethereum Wallet has emerged as a serious threat to cryptocurrency users.

Published on the Chrome Web Store on November 12, 2024, this extension masquerades as a secure Ethereum wallet while secretly stealing user seed phrases.

The malware’s sophisticated design allows attackers to gain complete control over victims’ cryptocurrency wallets and drain their digital assets.

The extension operates with a cunning approach to theft. When users create or import a wallet, the extension extracts their seed phrase and encodes it into synthetic Sui blockchain addresses.

It then broadcasts tiny microtransactions of 0.000001 SUI to these encoded addresses from a threat actor-controlled wallet. To observers, these appear as normal blockchain activity, but they actually contain hidden user data.

Socket.dev security analysts identified the malicious extension and discovered its evasive tactics.

The researchers noted that the backdoor uses BIP-39 mnemonic encoding, transforming each seed phrase word into numeric indices and packing them into hexadecimal strings that resemble legitimate Sui wallet addresses.

This clever approach hides data within blockchain transactions, eliminating the need for traditional command-and-control servers.

Technical Mechanism

The technical mechanism reveals the extension’s sophistication. When examining the extension code, analysts found it loads a standard wordlist, maps each word to its index, and constructs synthetic addresses prefixed with “0x”.

A paired decoder embedded in the malware allows the threat actor to reverse this process, reconstructing the original seed phrase word by word.

The code silently executes these operations after a user enters their seed phrase, sending exfiltration data across the blockchain before completing the login process.

The threat proves especially dangerous because the extension appears legitimate on the Chrome Web Store. Users searching for Ethereum wallets find it listed as the fourth result alongside trusted alternatives like MetaMask and Enkrypt, lending it false credibility.

Once a victim installs the extension and imports their wallet, the attacker gains access to all derived Ethereum private keys and can transfer all assets to their own addresses, resulting in complete financial compromise.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Malicious Chrome Extension as Ethereum Wallet Enables Full Wallet Takeover appeared first on Cyber Security News.

In August 2025, a new ransomware threat emerged with capabilities that fundamentally changed how organizations should approach enterprise security.

Kraken, a Russian-speaking cybercriminal group, began executing sophisticated attacks targeting large organizations across multiple continents.

What makes Kraken particularly dangerous is its ability to attack Windows, Linux, and VMware ESXi systems with platform-specific tools, making it one of the first truly cross-platform ransomware threats to gain widespread notoriety in enterprise circles.

The Kraken group appears to be connected to the HelloKitty ransomware operation, with security researchers suspecting the group emerged from the remnants of that previous criminal organization.

This connection becomes evident through shared ransom note filenames and explicit references on the group’s leak site.

In September 2025, Kraken announced a new underground forum called “The Last Haven Board,” designed to create a secure communication hub for the cybercriminal community.

Notably, HelloKitty operators announced their support for this new platform, solidifying the link between these groups.

Cisco Talos security analysts identified Kraken conducting double-extortion attacks in which victims are both encrypted and threatened with data publication.

The group employs a sophisticated multi-stage attack methodology that begins with SMB vulnerability exploitation on internet-exposed servers.

Once inside a system, attackers steal privileged credentials and use them to maintain persistent access through Remote Desktop Protocol connections.

To establish long-term presence, attackers deploy Cloudflared for creating reverse tunnels and SSH Filesystem tools for data exfiltration.

Before deploying encryption, the ransomware performs a unique benchmarking operation to measure how fast it can operate on the victim’s machine without causing immediate detection through system resource exhaustion.

Encryption and Command-Line Flexibility

Kraken’s technical sophistication becomes apparent through its extensive command-line options. The ransomware uses RSA-4096 and ChaCha20 encryption algorithms, providing strong cryptographic protection.

Attackers can customize attacks using parameters like timeout delays, file size limits, and encryption depth selections.

For Windows systems, the command format follows: Encryptor.exe –key <32-byte key> -path <targeted path> -t.

Linux and ESXi versions use ELF binaries with options like daemon mode execution and SSH remote capabilities.

The ransomware features partial and full encryption modes, allowing attackers to optimize between encryption speed and maximum damage.

Notably, Kraken actively encrypts SQL databases and network shares while automatically skipping critical system files and Program Files directories to maintain victim system functionality for ransom negotiations.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Kraken Cross-Platform Ransomware Attacking Windows, Linux, and VMware ESXi Systems in Enterprise Environments appeared first on Cyber Security News.