20 Oct 2022 [security]

LocalMonero discovers malicious browser extension targeting XMR users

LocalMonero1 has discovered2 a malicious browser extension disguised as Google Sheets 2.1 that was targeting XMR users on their platform:

[..] a user reported to us that the address that they specified when opening a trade wasn’t actually the address to which the coins were sent to. [..] this doesn’t work like the clipboard-replacing malware we’ve all heard about. Instead, this malware actually waits until you hit the submit button before replacing the address in a way that’s hidden from you unless it errors out.

The affected user was using the Chrome browser on a Windows machine that was infected with malware (Trojan.BitCoinMiner) undetected by a Windows Defender scan, but reported by MalwareBytes.

According to the LocalMonero team, a malicious Windows system task that was designed to run that [vbscript] file was trying to install the browser extensions on any Chromium-based browsers.

Not affected

Security tips

Read the full post2 and watch the user’s video recording3 to better understand how this type of malware operates.

This is an ongoing story and the report will be updated when new information is available.


  1. https://localmonero.co 

  2. https://libreddit.de/y8xmph  2

  3. https://matrix.agoradesk.com/_matrix/media/r0/download/agoradesk.com/MBmDdubTdHUIZVDDjQfwoudW