New malware service guarantees phishing extensions on Chrome web store

Recorded: Jan. 27, 2026, 1 a.m.

Original

News

Featured
Latest

New ClickFix attacks abuse Windows App-V scripts to push malware

Microsoft patches actively exploited Office zero-day vulnerability

Nearly 800,000 Telnet servers exposed to remote attacks

Cloudflare misconfiguration behind recent BGP route leak

OpenAI's ChatGPT ad costs are on par with live NFL broadcasts

Fortinet blocks exploited FortiCloud SSO zero day until patch is ready

Chinese Mustang Panda hackers deploy infostealers via CoolClient backdoor

WinRAR path traversal flaw still exploited by numerous hackers

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityNew malware service guarantees phishing extensions on Chrome web store

New malware service guarantees phishing extensions on Chrome web store

By Bill Toulas

January 26, 2026
06:46 PM
0

A new malware-as-a-service (MaaS) called 'Stanley' promises malicious Chrome extensions that can clear Google's review process and publish them to the Chrome Web Store.
Researchers at end-to-end data security company Varonis named the project Stanley after the alias of the seller, who advertises easy phishing attacks by intercepting navigation and covering a webpage with an iframe with content of the attacker's choice.
The new MaaS offering is for malicious Chrome extensions that can cover a webpage with a full-screen iframe containing phishing content of the attacker's choice. Stanley also advertises silent auto-installation on Chrome, Edge, and Brave browsers and support for custom tweaks.

The MaaS has multiple subscription tiers, the most expensive one being the Luxe Plan, which also offers a web panel and full support for publishing the malicious extension to the Chrome Web Store.

Stanley promoted on cybercrime portalsSource: Varonis
BleepingComputer has contacted Google to request a comment on those claims, and we will update this post when we hear back.
Varonis reports that Stanley works by overlaying a full-screen iframe with malicious content while the victim’s browser address bar remains untouched, showing the legitimate domain.

Function that generates the deceptive iframeSource: Varonis
Operators who have access to Stanley’s panel can enable or disable hijacking rules on demand, or even push notifications directly in the victim’s browser to lure them to specific pages, pushing the phishing process more aggressively.

Generating a custom notificationSource: Varonis
Stanley supports IP-based victim identification and enables geographic targeting and correlation across sessions and devices.
Moreover, the malicious extension performs persistent command-and-control (C2) polling every 10 seconds, and it can also perform backup domain rotation to provide resilience against takedowns.
Varonis comments that, from a technical perspective, Stanley lacks advanced features and instead opts for a straightforward approach to implementing well-known techniques.
Its code is reportedly “rough” at places, featuring Russian comments, empty catch blocks, and inconsistent error handling.
What really makes this new MaaS stand out is its distribution model, specifically the promise to pass the Chrome Web Store review and get malicious extensions onto the largest platform of trusted browser add-ons.
Given that such extensions continue to slip through the cracks, as recently highlighted in two separate reports by Symantec and LayerX, users should install only the minimum number of extensions they need, read user reviews, and confirm the publisher’s trustworthiness.

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Fake ad blocker extension crashes the browser for ClickFix attacksMalicious GhostPoster browser extensions found with 840,000 installsCredential-stealing Chrome extensions target enterprise HR platformsCellik Android malware builds malicious versions from Google Play appsZoom Stealer browser extensions harvest corporate meeting intelligence

Browser Extension
Chrome extension
Google Chrome
MaaS
Malware-as-a-Service
Phishing
Stanley

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Microsoft patches actively exploited Office zero-day vulnerability

Microsoft investigates Windows 11 boot failures after January updates

Microsoft releases emergency OOB update to fix Outlook freezes

Sponsor Posts

Get a free shadow AI inventory today

Discover how phishing kits are sold and deployed. Download the full research report.

Overdue a password health-check? Audit your Active Directory for free

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Is your data already on a leak site? Monitor your exposure threats for free.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

This BleepingComputer article details the emergence of “Stanley,” a new malware-as-a-service (MaaS) platform facilitating the creation and distribution of malicious Chrome extensions, specifically designed to bypass Google’s review process and publish directly to the Chrome Web Store. The platform, promoted through cybercrime portals, offers operators a straightforward method for generating deceptive full-screen iframes containing phishing content, while maintaining the appearance of a legitimate webpage.

Developed by Varonis, Stanley’s functionality centers on overlaying this deceptive iframe, allowing attackers to intercept navigation and cover targeted webpages. A key aspect of the service is its ability to enable on-demand hijacking rules, pushing notifications directly to victims’ browsers to aggressively lure them to malicious pages. The MaaS incorporates IP-based victim identification, geographic targeting, and supports persistent command-and-control (C2) polling with backup domain rotation for resilience against takedowns. Critically, the article highlights that Stanley’s code is described as “rough,” exhibiting elements like Russian comments, empty catch blocks, and inconsistent error handling, suggesting a relatively basic implementation of established malware techniques.

The concerning element of this MaaS is its reported ability to successfully navigate the Chrome Web Store review process, mirroring prior instances where malicious extensions have slipped through, as indicated by reports from Symantec and LayerX. Consequently, the article emphasizes the importance for users to exercise caution by limiting the number of extensions installed, carefully reviewing user reviews, and confirming the trustworthiness of the publisher. The emergence of Stanley underscores the ongoing challenges in maintaining the integrity of the Chrome Web Store and highlights the increasing sophistication of cybercriminals leveraging services like MaaS to deploy malware more effectively.