51/69 Tuesday, January 27, 2026
Researchers from Varonis have identified a new Malware-as-a-Service (MaaS) toolkit named Stanley, which is being advertised for sale on cybercrime forums for approximately USD 2,000–6,000. A key feature of Stanley is its ability to create malicious Chrome extensions that can reportedly pass Google’s review process and be published on the Chrome Web Store, significantly lowering distribution barriers and increasing the likelihood that users who trust official stores will become victims.
Stanley’s attack mechanism relies on website spoofing techniques. Once a victim installs a malicious extension-such as a seemingly legitimate note-taking extension called Notely-the extension requests permission to access website data. When the victim visits a targeted website, the attacker can trigger a full-screen iframe that overlays a phishing page on top of the legitimate site. Critically, the URL in the browser’s address bar remains unchanged, continuing to display the real domain (e.g., binance[.]com), making it extremely difficult for users to recognize the deception. Attackers can also abuse browser notifications to lure victims back to phishing pages.
Stanley also includes a management panel that allows attackers to monitor victim activity using IP addresses as identifiers and configure targeted URL hijacking rules. Due to the stealthy nature of this technique and its relatively affordable pricing, malicious extensions may remain undetected for extended periods while harvesting sensitive data. Users are therefore strongly advised to carefully review extension permissions, even for extensions installed from official app stores.
Source https://www.securityweek.com/stanley-malware-toolkit-enables-phishing-via-website-spoofing/
