TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Red Canary

Moving up the Assemblyline: Exposing malicious code in browser extensions

Tre Wilkins · 2026-03-12 · Read original ↗

ATT&CK techniques detected

25 predictions
T1176Software Extensions
98%
“not all security teams have access to it. furthermore, solely relying on public reporting about malicious extension updates significantly increases dwell time in environments. read more about browser threats in the 2026 threat detection report. this blog details how to leverage a…”
T1195.002Compromise Software Supply Chain
98%
“scripts. ", " service worker ( js / worker. js ) updated. entropy : 5. 17 ( medium ). this is 12. 27 % higher than the previous version of the service worker : 4. 60 ( medium ). ", " 1 new domain ( s ) referenced ", " 2 new signature ( s ) detected. " ], " updated _ service _ wor…”
T1176Software Extensions
97%
“moving up the assemblyline : exposing malicious code in browser extensions browser extensions are ubiquitous, offering users enhanced functionality and customization. however, they also represent a significant, often overlooked, attack surface. the very nature of extensions — sma…”
T1176Software Extensions
97%
“new domain being referenced in the extension and a new or updated service worker ( new - domain - new - or - updated - background - script ). importantly, this rule did raise on all five backtested real - world compromises. therefore, depending on your organization ’ s tolerance …”
T1176Software Extensions
97%
“implemented version pinning, established an extension review process of their own, or offloaded that work to an external team. references - assemblyline as a malware analysis sandbox | sans isc - assemblyline 4 : file triage and malware analysis | github - google and microsoft tr…”
T1176Software Extensions
95%
“##s from the norm ( e. g., increased script entropy ) - newly requested permissions - new network domains ( extracted by assemblyline ) - new assemblyline service detections / signatures present in the new version but absent in the old - alerting : alerts are raised when predefin…”
T1176.001Browser Extensions
95%
“moving up the assemblyline : exposing malicious code in browser extensions browser extensions are ubiquitous, offering users enhanced functionality and customization. however, they also represent a significant, often overlooked, attack surface. the very nature of extensions — sma…”
T1176.001Browser Extensions
92%
“implemented version pinning, established an extension review process of their own, or offloaded that work to an external team. references - assemblyline as a malware analysis sandbox | sans isc - assemblyline 4 : file triage and malware analysis | github - google and microsoft tr…”
T1195.002Compromise Software Supply Chain
87%
“js / worker. js ) entropy increased anomalously by 12. 27 percent. the update further raises red flags by adding a reference to a new domain, cyberhavenext [. ] pro, and containing two new suspicious signatures : base64decoding andcookieharvesting ( jsjaws. 3 ). these combined in…”
T1195.002Compromise Software Supply Chain
81%
“new domain being referenced in the extension and a new or updated service worker ( new - domain - new - or - updated - background - script ). importantly, this rule did raise on all five backtested real - world compromises. therefore, depending on your organization ’ s tolerance …”
T1195.002Compromise Software Supply Chain
74%
“implemented version pinning, established an extension review process of their own, or offloaded that work to an external team. references - assemblyline as a malware analysis sandbox | sans isc - assemblyline 4 : file triage and malware analysis | github - google and microsoft tr…”
T1176.002IDE Extensions
72%
“not all security teams have access to it. furthermore, solely relying on public reporting about malicious extension updates significantly increases dwell time in environments. read more about browser threats in the 2026 threat detection report. this blog details how to leverage a…”
T1176.001Browser Extensions
71%
“new domain being referenced in the extension and a new or updated service worker ( new - domain - new - or - updated - background - script ). importantly, this rule did raise on all five backtested real - world compromises. therefore, depending on your organization ’ s tolerance …”
T1176.002IDE Extensions
66%
“##s from the norm ( e. g., increased script entropy ) - newly requested permissions - new network domains ( extracted by assemblyline ) - new assemblyline service detections / signatures present in the new version but absent in the old - alerting : alerts are raised when predefin…”
T1176.001Browser Extensions
63%
“##s from the norm ( e. g., increased script entropy ) - newly requested permissions - new network domains ( extracted by assemblyline ) - new assemblyline service detections / signatures present in the new version but absent in the old - alerting : alerts are raised when predefin…”
T1176.001Browser Extensions
63%
“not all security teams have access to it. furthermore, solely relying on public reporting about malicious extension updates significantly increases dwell time in environments. read more about browser threats in the 2026 threat detection report. this blog details how to leverage a…”
T1204.002Malicious File
60%
“now flag the malicious 24. 10. 4 version based on the known malicious c2 domain ( cyberhavenext [. ] pro ). our objective, however, is to assess extension updates for potentially malicious additions before they are publicly known to be malicious. therefore, we created a custom su…”
T1195.002Compromise Software Supply Chain
58%
“. 2 ) showed a significant 12. 7 percent increase over the previous version ’ s ( 4. 6 ) in 24. 10. 2 — a clear sign of deviation from the normal writing style. assemblyline ’ s characterize service automatically calculates the entropy for every submitted file, which can be retri…”
T1072Software Deployment Tools
56%
“new domain being referenced in the extension and a new or updated service worker ( new - domain - new - or - updated - background - script ). importantly, this rule did raise on all five backtested real - world compromises. therefore, depending on your organization ’ s tolerance …”
T1199Trusted Relationship
51%
“new domain being referenced in the extension and a new or updated service worker ( new - domain - new - or - updated - background - script ). importantly, this rule did raise on all five backtested real - world compromises. therefore, depending on your organization ’ s tolerance …”
T1505.003Web Shell
50%
“and lowest - noise detection rule — which looked for new domains being referenced in the extension, new assemblyline signatures, an updated service worker, and an added or updated content script — successfully identified four of the five real - world compromises ( new - domain - …”
T1176.002IDE Extensions
47%
“moving up the assemblyline : exposing malicious code in browser extensions browser extensions are ubiquitous, offering users enhanced functionality and customization. however, they also represent a significant, often overlooked, attack surface. the very nature of extensions — sma…”
T1176Software Extensions
42%
“now flag the malicious 24. 10. 4 version based on the known malicious c2 domain ( cyberhavenext [. ] pro ). our objective, however, is to assess extension updates for potentially malicious additions before they are publicly known to be malicious. therefore, we created a custom su…”
T1176.002IDE Extensions
40%
“implemented version pinning, established an extension review process of their own, or offloaded that work to an external team. references - assemblyline as a malware analysis sandbox | sans isc - assemblyline 4 : file triage and malware analysis | github - google and microsoft tr…”
T1176Software Extensions
38%
“’ s reports won ’ t always definitively classify a submitted file as malicious. therefore, additional interpretation is necessary. to detect potentially malicious changes in an updated extension, we employed a multi - layered comparative analysis focusing on key indicators and re…”

Summary

How to use the open source Assemblyline tool to track browser extension updates and detect malicious code