New RedExt Chrome Extension Tool for Red Teamers with Flask-based C2 Server

A sophisticated new red team tool called RedExt has recently been released, combining a Manifest V3 Chrome extension with a Flask-based Command and Control (C2) server to create a powerful framework for authorized security operations. 

This innovative tool enables comprehensive browser data collection and analysis through a modern dark-themed dashboard interface.

RedExt operates as a beacon-based system that executes tasks assigned by the C2 server. 

The framework includes multiple data collection modules that can extract sensitive browser information, including cookies, browsing history, screenshots, clipboard contents, DOM structures, local storage data, and detailed system information.

RedExt, developed by Security researcher ShadowByte, can operate entirely within the browser context, leveraging Chrome’s extensive API capabilities while maintaining a persistent connection to its command infrastructure.

The framework’s architecture consists of two main components: a Chrome extension built on Manifest V3 and a Python Flask server with SQLite database backend. 

This combination allows for efficient task assignment, data collection, and centralized analysis.

RedExt Implementation and Deployment

Security professionals can deploy RedExt by first setting up the C2 server with a few simple commands:

The Chrome extension can then be configured by editing the C2 server address in the background.js file:

Deployment options include GUI-based installation through Chrome’s extension management page or command-line installation:

Operational Functionality

Once deployed, RedExt establishes a connection between the extension (agent) and the C2 server. Security professionals can manage agents, assign tasks, and analyze collected data from the operator dashboard.

The task execution system supports multiple operation types:

• DOM snapshot capture for webpage analysis
• Cookie exfiltration with domain-specific filtering
• Screenshot capture of active browser tabs
• System reconnaissance including browser environment and hardware details
• Browsing history collection with timestamps and visit frequencies
• Bookmark extraction preserving folder structures and metadata

While RedExt demonstrates the potential vulnerabilities of browser extensions, it is explicitly designed for authorized red team operations and security research. The GitHub repository emphasizes: “This tool is designed for authorized operations only.”

Security experts note that tools like RedExt highlight the importance of proper extension vetting and browser security policies. 

Organizations should review their browser security controls and consider implementing extension whitelisting to mitigate similar threats..

RedExt is publicly available on GitHub with comprehensive documentation including installation guides, usage instructions, and technical details. 

As browser-based attack vectors continue to evolve, tools like RedExt provide valuable insights for both offensive security professionals and defenders seeking to understand and mitigate emerging threats in the browser landscape.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.