Copyfish Chrome extension shipped malware

Copyfish was one of the legitimate Chrome extensions affected by the 2017 developer-account phishing spree. Attackers used stolen Chrome Web Store credentials to publish a malicious update through the official extension channel.

The affected release was Copyfish 2.8.5. The compromise was especially visible because the extension was already trusted by users for optical character recognition workflows, so the malicious update arrived as routine browser maintenance rather than as a new install decision.

The malicious extension activity sat inside the same Proofpoint-tracked campaign as Chrometana, Web Developer, Infinity New Tab, Web Paint, and Social Fixer. The common pattern was stolen publisher access followed by ad injection, traffic redirection, and credential-theft-capable JavaScript.

This leaf record preserves the Copyfish version and Chrome Web Store distribution boundary. The campaign record carries the shared phishing domains, redirect infrastructure, and cross-extension behavior.

Motive

Financial Gain

Attribution

Group

Cause

Phishing

Transitive

No

Actor

Cybercriminal

User Impact

1500000

• domainclick.rdr11.top
• domainchromedevelopment.site
• domainlogin.chromeextensions.info
• domainchromeextensions.info
• domainwd7bdb20e4d622f6569f3e8503138c859d.win
• domainsearchtab.win
• domainredirect2.top
• domainbrowser-updates.info
• domainpartner-net.men
• urlhttp://partner-net[.]men/code/pid/973820_BNX.js?rev=133

• Chrome extension developers under a barrage of phishing attacksbleepingcomputer.com
• Chrome extension developers under attacka9t9.com
• Threat actor goes on a Chrome extension hijacking spreeproofpoint.com
• Keeping our users safeblog.cloudflare.com
• Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Usersbleepingcomputer.com