SlowMist
SlowMist|5月 11, 2026 07:06
🚨 Threat Intelligence | Analysis of a Fake TronLink Chrome Extension Phishing Campaign 🚨 SlowMist’s MistEye threat monitoring system recently detected a high-risk phishing campaign targeting #TRON wallet users. Attackers created a fake Chrome MV3 extension impersonating @TronLinkWallet, using Unicode bidirectional control characters and Cyrillic homoglyphs to spoof the brand name. Once installed, it loads a full phishing page via remote iframe — forming a “shell-core separation” credential theft chain. 🔍 Key Findings: 🔹 The extension name uses homoglyphs for disguise. Its Chrome Web Store page inherits the real extension’s high user count and positive reviews, significantly lowering review barriers. 🔹 Local code is extremely minimal — it only loads a remote page, making static analysis almost useless for detecting malice. 🔹 The remote phishing page perfectly replicates the official TronLink Web wallet UI, stealing mnemonic phrases, private keys, Keystore files, and passwords, then exfiltrating them in real time via Telegram Bot. 🔹 Built-in anti-analysis features (disables right-click, DevTools, drag-and-drop, printing) and geo/language-based redirection for Russian users to evade detection. ⚠️ This is not a simple fake extension — it employs advanced techniques like remote dynamic loading and anti-forensics, making it extremely difficult for traditional static scanners to catch. 🛡️ Immediate Actions : • Uninstall any suspicious extension (Malicious ID: ekjidonhjmneoompmjbjofpjmhklpjdd) • Official TronLink extension ID: ibnejdfjmmkpcnlpebklmnkoeoihofec • Clear localStorage and check for abnormal traffic • If credentials were entered, create a new wallet immediately and transfer assets 📖 Full technical analysis + IOCs + self-check guide here 👇 https://medium.com/@slowmist/threat-intelligence-analysis-of-a-fake-tronlink-chrome-extension-phishing-campaign-768e8c0e8fb6(SlowMist)
Mentioned
Share To

Timeline

HotFlash

APP

X

Telegram

Facebook

Reddit

CopyLink

Hot Reads