New Infostealer Malware Targets Browser-Stored Credentials at Scale

Overview

Security researchers at multiple threat intelligence firms have identified a new information-stealing malware family that is rapidly gaining traction in underground markets. Dubbed ChromeShade by analysts at Proofpoint, who published the first detailed report on March 30, the malware specifically targets browser-stored credentials, session cookies, autofill data, and cryptocurrency wallet extensions.

ChromeShade first appeared in dark web marketplaces in early February 2026, advertised as a "next-generation stealer" with advanced evasion capabilities and broad browser support. Since its initial sale, telemetry data suggests infections have spread to an estimated 2.3 million endpoints globally, with the highest concentration in North America, Western Europe, and Southeast Asia.

The malware is sold on a subscription basis — $200 per month or $1,500 for a lifetime license — and includes a web-based management panel for operators to view and export stolen data. This low barrier to entry has attracted a large number of threat actors with varying levels of sophistication.

Distribution Methods

ChromeShade is distributed through several vectors, reflecting the diverse affiliates deploying it:

Phishing campaigns: The most common distribution method involves emails with malicious attachments — typically password-protected ZIP files containing a disguised executable. Campaigns observed in March used themes including fake invoice notifications, shipping confirmations, and tax-related documents timed with the US tax season.

Fake browser updates: Compromised websites display convincing browser update prompts that mimic Chrome, Firefox, and Edge update notifications. When users click the update button, they download a trojanized installer that deploys ChromeShade alongside a legitimate-looking (but outdated) browser update.

Malvertising: Malicious advertisements on file-sharing sites and cracked software repositories redirect users through a chain of intermediary domains before delivering the payload. The ads often promote free PDF converters, video editors, and VPN tools.

SEO poisoning: Some affiliates have invested in search engine optimization for malicious pages that rank for queries related to free software, license key generators, and technical troubleshooting guides. Users searching for these terms are directed to pages that deliver ChromeShade through seemingly helpful downloads.

Technical Capabilities

Once executed, ChromeShade performs the following actions on the infected system:

Browser Credential Theft

The malware targets all Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi) and Firefox. It extracts:

• Saved usernames and passwords from the browser's credential store
• Session cookies, enabling attackers to hijack authenticated sessions without needing passwords
• Autofill data including addresses, phone numbers, and payment cards
• Browser history and bookmarks (used to identify high-value targets)

For Chromium-based browsers on Windows, ChromeShade bypasses Chrome's encryption of stored credentials by leveraging the Windows DPAPI (Data Protection API) with the user's context. On macOS, it prompts the user for their system password through a fake Keychain Access dialog.

Cryptocurrency Wallet Theft

ChromeShade specifically targets browser extensions for popular cryptocurrency wallets, including MetaMask, Phantom, Coinbase Wallet, and Trust Wallet. It extracts wallet seed phrases, private keys, and transaction history. The malware also monitors the clipboard for cryptocurrency addresses and replaces them with attacker-controlled addresses — a technique known as clipboard hijacking.

Additional Data Collection

• System information (OS version, hardware specs, installed software)
• Screenshots captured at configurable intervals
• Files matching specific patterns (documents containing keywords like "password," "seed phrase," "recovery," and "wallet")
• Discord, Telegram, and Steam session tokens

Evasion Techniques

ChromeShade employs several techniques to avoid detection:

Fileless execution: The initial dropper downloads the main payload directly into memory using reflective DLL injection, leaving minimal artifacts on disk for static scanning tools to detect.

Anti-analysis checks: Before executing its payload, ChromeShade checks for indicators of virtual machines, sandboxes, and analysis environments. It examines hardware identifiers, running processes, screen resolution, mouse movement patterns, and recently opened files. If any analysis indicators are detected, the malware terminates silently.

Timestomping: Any files written to disk have their timestamps modified to match those of legitimate system files, making forensic timeline analysis more difficult.

Encrypted exfiltration: Stolen data is encrypted with AES-256 before being exfiltrated over HTTPS to attacker-controlled infrastructure. The command-and-control (C2) communication uses legitimate cloud services — including Discord webhooks, Telegram bot APIs, and cloud storage platforms — to blend in with normal network traffic.

Polymorphic packing: Each build of ChromeShade is packed with a unique encryption key, meaning every distributed copy has a different hash. This renders signature-based detection ineffective for new variants.

Indicators of Compromise

The following IOCs have been shared by multiple research teams. Note that ChromeShade's polymorphic nature means file hashes change frequently, so behavioral indicators are more reliable for ongoing detection.

Behavioral indicators:

• Processes attempting to read browser credential databases (Login Data, cookies.sqlite) outside of the browser process context
• Unusual DPAPI calls from non-browser processes
• PowerShell or cmd.exe spawned by processes in user temp directories
• Outbound connections to Discord webhook URLs or Telegram bot APIs from non-messaging applications
• Registry modifications to disable Windows Defender real-time protection

Network indicators:

• Connections to domains matching the pattern [random].workers.dev — ChromeShade uses Cloudflare Workers as C2 proxies
• High-volume encrypted uploads to cloud storage APIs from processes that don't normally interact with those services
• DNS queries to recently registered domains with high entropy names

File system indicators:

• Executables in %APPDATA%\Local\Temp with names mimicking legitimate Windows services
• Scheduled tasks created for persistence with descriptions matching common Windows tasks

Prevention and Remediation

Organizations and individuals can take the following steps to protect against ChromeShade and similar infostealers:

• Stop saving passwords in browsers. Use a dedicated password manager instead. Browser credential stores are the primary target for every infostealer family.
• Enable hardware-based MFA. Even if credentials are stolen, phishing-resistant MFA (FIDO2 keys) prevents attackers from using them to access accounts.
• Deploy endpoint detection and response (EDR). EDR solutions with behavioral detection capabilities can identify ChromeShade's credential access patterns even when the malware itself is previously unseen.
• Restrict PowerShell and script execution. Application control policies that limit which processes can execute scripts reduce the effectiveness of ChromeShade's fileless execution chain.
• Educate users about fake updates. Training that specifically addresses fake browser update pages — one of the most effective delivery mechanisms — can significantly reduce infection rates.
• Monitor for credential exposure. Services that monitor dark web marketplaces for stolen credentials can provide early warning that an organization has been compromised.

If a ChromeShade infection is confirmed, assume all browser-stored credentials are compromised. Reset passwords for all accounts that had credentials saved in any browser on the affected system, revoke active sessions, and rotate any API keys or tokens that may have been stored in browser profiles.

"Infostealers have become the on-ramp for more severe compromises. A single stolen session cookie can bypass MFA and give an attacker full access to corporate cloud environments. Organizations must treat infostealer infections as seriously as they would any other network intrusion."