Mastering Modern Red Teaming Infrastructure — Part 8: Simulating APT Infostealer via Stealthy…

Mastering Modern Red Teaming Infrastructure — Part 8: Simulating APT Infostealer via Stealthy Browser Extension for Cookie Exfiltration (Telegram, Discord & Google Forms)

In this part of the “Mastering Modern Red Teaming Infrastructure” series, we explore the design and deployment of a stealthy Chrome extension tailored for red team simulations. This tool is built to silently extract valuable session data such as all saved browser cookies (including Azure AD), clipboard content, and device fingerprints and exfiltrate them on Telegram, Discord and Google form while maintaining strong OPSEC.

Disclaimer: This is meant for educational and simulation purposes only.

Table of Contents

1. VirusTotal AV Bypass Verification
2. Red Team Extension Design & Features

• Cookie Exfiltration
• Clipboard Data Capture
• Device Fingerprinting
• Tab Monitoring
• Stealthy OPSEC Measures
• Extension Persistence

3. Building the Malicious Chrome Extension: POC Code

4. Setup Exfiltration Channels

• Telegram Bot Setup
• Discord Webhook Setup
• Google Form Setup

5. Hijacking Sessions Using Stolen Cookies (Manual or Automated)

6. Real-World APT Reference

7. Final Thoughts

1. VirusTotal AV Bypass Verification

To test the stealthiness of our Chrome extension, we generated a packed version and submitted it to VirusTotal for analysis. The results confirmed that none of the 61 antivirus (AV) engines flagged the extension as malicious, demonstrating its ability to evade detection.

VirusTotal Scan Results:

No AV detected the extension as malicious.

This confirms the effectiveness of the implemented OPSEC measures, including
✅ No static signatures matching known threats
✅ Randomized network requests to avoid pattern detection
✅ Encrypted exfiltration channels to bypass heuristic analysis
✅ Stealthy background execution without console logs or suspicious behaviors

Such results reinforce the need for blue teams to improve defenses against malicious browser extensions, as traditional antivirus solutions are ineffective in detecting these types of threats.

2. Red Team Extension Design & Features

2.1 Cookie Exfiltration

Captures all saved cookies across domains, not just Azure-related ones. Cookies are formatted into structured JSON for easier importing using browser extensions or automation tools.

Sample structure:

[ 
  { 
    "domain": ".example.com", 
    "name": "sessionid", 
    "value": "abc123", 
    "path": "/", 
    "httpOnly": true, 
    "secure": true 
  }, 
  ... 
]

2.2 Clipboard Data Capture

Hooks into the clipboard to capture sensitive copied text.

⚠️ Clipboard access may be restricted depending on the Chromium version and whether the access occurs in a background context. In practice, capturing clipboard content reliably may require tab injection.

2.3 Device Fingerprinting

Captures:

• User agent
• Screen resolution
• Platform
• Timezone
• Language

2.4 Tab Monitoring

Watches for tab focus or changes and logs tab titles and URLs for behavior profiling.

2.5 Stealthy OPSEC Measures

• No console logs
• All fetches are async and silent
• Randomized intervals
• Avoids detection from standard monitoring tools

2.6 Extension Persistence

The extension uses a background service worker and manifest to ensure it reloads upon browser restart.

The extension is also set to auto-reinstall if removed via a controlled enterprise policy simulation in the lab.

3. Building the Malicious Chrome Extension: POC Code

The core functionality is divided into background, content, and utility scripts. Below is a simplified outline of the payload structure.

manifest.json

{ 
    "manifest_version": 3, 
    "name": "Authorized Red Team Extension - Advanced APT Simulation", 
    "version": "3.0", 
    "description": "Chrome extension for red team simulation in an isolated lab with full authorization.", 
    "permissions": [ 
      "cookies", 
      "history", 
      "tabs", 
      "clipboardRead", 
      "storage" 
    ], 
    "host_permissions": [ 
      "<all_urls>" 
    ], 
    "background": { 
      "service_worker": "background.js" 
    }, 
    "action": { 
      "default_title": "Diagnostics" 
    } 
  }

background.js (core logic on my Github)

Infostealer-Extension/background.js at main · 0xFFF-cmd/Infostealer-Extension

Contribute to 0xFFF-cmd/Infostealer-Extension development by creating an account on GitHub.

Load the Extension

1. Open Chrome and navigate to:

chrome://extensions/

2. Enable Developer Mode.

3. Click “Load Unpacked”.

4. Select the extension Infostealer-Extension folder.

The extension silently runs and starts collecting session cookies and others in the background and exfiltrates the data

4. Setup Exfiltration Channels

4.1 Telegram Bot Setup

To set up Telegram exfiltration:

1. Open Telegram and talk to @BotFather
2. Create a new bot: /newbot
3. Copy your BOT_TOKEN
4. Send a message to your bot.
5. Visit: https://api.telegram.org/bot<YOUR_BOT_TOKEN>/getUpdates
6. Copy your chat.id

4.2 Discord Webhook Setup

1. Open a Discord server.
2. Go to Channel Settings > Integrations > Webhooks
3. Create a webhook and copy the full URL: https://discord.com/api/webhooks/WEBHOOK_ID/WEBHOOK_TOKEN

4.3 Google Form Setup

1. Create a Google Form with a paragraph field for cookie data.
2. Open the form preview, inspect the input, and get the entry.<id> value.

const GOOGLE_FORM_URL = "https://docs.google.com/forms/d/e/.../formResponse"; 
const FORM_COOKIE_FIELD = "entry.717920838";

5. Hijacking Sessions Using Stolen Cookies (Manual or Automated)

You can use the exfiltrated cookies by importing them with browser tools such as:

• EditThisCookie
• Cookie-Editor
• Burp Suite for replaying API calls

Automation Tip: Use Puppeteer or Playwright with page.setCookie(...) to automate session hijacking in simulations.

6. Real-World APT Reference

This simulation emulates tactics observed in:

• APT29 (Cozy Bear): Credential and token theft via browser extensions.
• APT40: Targeted cookie/session hijacking in cloud environments.
• UNC2452 (SolarWinds breach): Advanced OPSEC and stealthy data exfiltration.

7. Final Thoughts

This simulation highlights the risk of browser extensions — particularly those with cookie access. It demonstrates how stolen session cookies can bypass MFA and enable full access to critical application and cloud accounts.

Red teams Takeaways

🔥 Can be used for targeted session hijacking in phishing campaigns
🔥 Ideal for USB-drop or insider threat simulations
🔥 Demonstrates how browser extensions remain a major attack vector

Blue teams Defenses:

🔹 Implement strict extension allowlists
🔹 Monitor for cookie exfiltration attempts
🔹 Detect logins from unusual geographies and device fingerprints

Next: Deeper Into The Shadows

In the next part, we push further into 2FA bypasses, hardcore credential theft, and social engineering exploits, exploring:

🔹 Browser-in-the-Browser (BitB) illusions
🔹 Click-Fix exploits
🔹 Captcha Copy-Paste traps

Stay tuned for Part 9.

If you find this blog useful, don’t forget to hit the clap button and follow the blog.

Certifications:
OSEC3, CRTL, CRTO, OSCP, OSEP, OSWE, OSED, eMAPT … Others

Follow me on LinkedIn & Twitter(X) to stay updated and to know new things.

Bye Bye, Take Care.