Connect with us

Hi, what are you looking for?



Chinese Threat Actor Uses Browser Extension to Hack Gmail Accounts

In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.

In early 2021, a Chinese threat actor tracked as TA413 attempted to hack into the Gmail accounts of Tibetan organizations using a malicious browser extension, researchers with cybersecurity firm Proofpoint have discovered.

Active for roughly a decade, the hacking group has been previously associated with malware such as LuckyCat and ExileRAT, and is believed to have orchestrated numerous cyber-assaults targeting the Tibetan community.

In January and February 2021, the group was observed delivering the FriarFox extension, customized to specifically target the Firefox browser and provide attackers with access to and control of victims’ Gmail accounts. The Scanbox and Sepulcher malware families, both already attributed to the adversary, were also used in these attacks.

A phishing email used in a January attack, Proofpoint reveals, contained a link leading to a fake Adobe Flash Player update-themed page designed to run JavaScript code on the victim’s system. The code would deliver the FriarFox malicious extension, but only if Firefox was used to open the link.

Once the extension was installed, the attackers gained full access to the victim’s Gmail account, being able to search emails, archive messages, read emails, receive notifications, label emails, mark messages as spam, delete emails, refresh the inbox, forward emails, modify alerts in the browser, delete emails from the Trash folder, and send emails.

FriarFox, which appears to be a heavily altered version of the open source browser extension Gmail Notifier, also allows the adversary to access user data for all websites, read and change privacy settings, display notifications, and access the tabs opened in the browser.

As part of the attack, the Scanbox reconnaissance framework – which is known to have been used by other Chinese threat actors and even the Vietnam-linked OceanLotus – was also leveraged.

Analysis of FriarFox code has allowed Proofpoint to link the extension to known TA413 activity, while the employed infrastructure has revealed targeting of Tibetan organizations since early January 2021. Malicious files used in the attacks were created using the Royal Road tool, which is also known to be shared between Chinese APTs.

Advertisement. Scroll to continue reading.

“The introduction of the FriarFox browser extension in TA413’s arsenal further diversifies a varied, albeit technically limited repertoire of tooling. The use of browser extensions to target the private Gmail accounts of users combined with the delivery of Scanbox malware demonstrates the malleability of TA413 when targeting dissident communities,” Proofpoint concludes.

Related: Chinese Hackers Target Europe, Tibetans With ‘Sepulcher’ Malware

Related: POISON CARP Threat Actor Targets Tibetan Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.