EXECUTIVE SUMMARY
A financially motivated threat group is currently targeting Italian organizations with a phishing campaign that delivers a unique type of backdoor. By weaponizing a legitimate browser feature, the attackers bypass standard security boundaries to establish persistent control over infected systems. The primary objective involves stealing sensitive browser data, such as authentication cookies, and executing arbitrary commands on the underlying operating system. This campaign specifically focuses on sectors that frequently handle invoice documents, using social engineering to trick users into initiating the infection chain.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A financially motivated threat group is currently targeting Italian organizations with a phishing campaign that delivers a unique type of backdoor. By weaponizing a legitimate browser feature, the attackers bypass standard security boundaries to establish persistent control over infected systems. The primary objective involves stealing sensitive browser data, such as authentication cookies, and executing arbitrary commands on the underlying operating system. This campaign specifically focuses on sectors that frequently handle invoice documents, using social engineering to trick users into initiating the infection chain.[emaillocker id="1283"]
The attack begins when a victim opens a malicious JavaScript file disguised as a PDF invoice. This script uses a signed application to load a malicious library through a side-loading technique, which then deploys a hidden PowerShell component. The malware modifies browser policies to install a malicious Chrome extension and registers a Native Messaging Host. This bridge allows the extension to escape the browser sandbox and request PowerShell commands directly on the Windows system. Communication with the command-and-control server occurs via standard HTTPS traffic, blending in with normal network activity.
This threat is particularly dangerous because it combines legitimate system tools to evade detection, making traditional antivirus solutions less effective. The use of signed binaries and trusted browser mechanisms allows the malware to operate without raising immediate alerts. Organizations should inspect browser policy settings for unauthorized modifications and monitor for unusual process relationships involving the C# compiler or hidden PowerShell instances. Defenders must also verify Native Messaging registry entries and ensure that only approved extensions are installed. Effective response requires removing both the browser extension and the underlying host component.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1574.002 | Hijack Execution Flow | DLL Side-Loading |
| Defense Evasion | T1112 | Modify Registry | — |
| Defense Evasion | T1607 | Compile After Delivery | — |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1083 | File and Directory Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol | Exfiltration Over Unencrypted Non-C2 Protocol |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/malicious-chrome-extension-uses-native-messaging-host/
https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/