Rilide is advanced malware targeting Chromium browsers, using malicious browser extensions to control user behavior and steal sensitive data
Unlike traditional web injections, Rilide leverages browser extensions for persistent, background access to browser-wide resources, bypassing same-origin and page lifecycle restrictions
Unlike traditional web injections, Rilide leverages browser extensions for persistent, background access to browser-wide resources, bypassing same-origin and page lifecycle restrictions
Rilide exploits both content script and background service worker contexts, making detection harder and increasing persistence
Rilide exploits both content script and background service worker contexts, making detection harder and increasing persistence
The extension’s manifest requests powerful permissions (scripting, cookies, webRequest, clipboard, activeTab, host_permission) to enable broad access and manipulation
The extension’s manifest requests powerful permissions (scripting, cookies, webRequest, clipboard, activeTab, host_permission) to enable broad access and manipulation
Rilide removes Content Security Policy (CSP) headers via manifest rules, allowing unrestricted script injection and inline content manipulation
Rilide removes Content Security Policy (CSP) headers via manifest rules, allowing unrestricted script injection and inline content manipulation
This script collects device info, installed extensions, and all cookies, communicates with the C2 server, and manages proxy and command execution
This script collects device info, installed extensions, and all cookies, communicates with the C2 server, and manages proxy and command execution
Dynamic C2 communication: Rilide retrieves C2 domains from a Telegram bot, enabling rapid domain changes to evade blocking
Handles attacker commands from the C2 server, such as enabling extensions, taking screenshots, retrieving cookies/history, and opening URLs
Handles attacker commands from the C2 server, such as enabling extensions, taking screenshots, retrieving cookies/history, and opening URLs
Content scripts steal input data, inject malicious code, and manipulate Gmail 2FA emails to hide cryptocurrency theft by altering withdrawal notifications
Content scripts steal input data, inject malicious code, and manipulate Gmail 2FA emails to hide cryptocurrency theft by altering withdrawal notifications
Rilide can turn the victim’s browser into an HTTP proxy, allowing attackers to hijack authenticated sessions for financial fraud or unauthorized transactions