Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Bans Apps Used to Remotely Disable E-Rickshaws
July 3, 2026
The Future of Encryption: Top Post-Quantum Cryptography Solutions for 2026
July 3, 2026
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Home/Threats/New Malware Toolkit Sends Users to Malicious Websites While the URL Stays the Same
Threats

New Malware Toolkit Sends Users to Malicious Websites While the URL Stays the Same

Browser attacks have grown considerably more dangerous and organized. A new threat called Stanley, uncovered in January 2026, highlights the severity of this evolving landscape. This...

Jennifer sherman
Jennifer sherman
January 26, 2026 3 Min Read
36 0

Browser attacks have grown considerably more dangerous and organized. A new threat called Stanley, uncovered in January 2026, highlights the severity of this evolving landscape.

This malware-as-a-service toolkit, priced between $2,000 and $6,000, does something particularly deceptive: it displays fake websites to users while the URL bar keeps showing the legitimate address.

It’s designed to steal login credentials and financial information by tricking people into thinking they’re visiting real websites.

Stanley first appeared on January 12, 2026, on Russian-language cybercrime forums under the seller’s alias “Стэнли.”

What makes this toolkit especially concerning is that the seller promises guaranteed publication on the Chrome Web Store, meaning the malicious extension can be downloaded directly from Google’s official store.

The toolkit disguises itself as “Notely,” a notes and bookmarks application, giving it legitimate cover while performing website spoofing attacks.

The ‘Stanley’ marketplace listing on a Russian cybercrime forum (Source – Varonis)

Varonis researchers noted and identified the toolkit after analyzing its technical capabilities and distribution methods.

The security team discovered that Stanley functions through a web-based control panel where attackers select individual victims and configure website hijacking rules.

Once a target is chosen, operators set up a source URL (the legitimate site to hijack) and a target URL (the attacker’s phishing page).

Stanley's pricing, with the top-tier guaranteeing Chrome Web Store publication (Source - Varonis)
Stanley’s pricing, with the top-tier guaranteeing Chrome Web Store publication (Source – Varonis)

The extension then intercepts when the victim visits the real website and overlays a full-screen iframe containing the fake version, all while the browser’s address bar displays the legitimate domain.

How Stanley Infects and Controls Victims

The infection mechanism relies on browser extension permissions that grant near-complete control over user browsing activity.

Once installed, Stanley’s code runs at the earliest possible moment during page loading, before any legitimate content appears.

The extension uses the victim’s IP address as a unique identifier, enabling attackers to target specific people and even correlate users across multiple browsers and devices.

Every ten seconds, the extension communicates with the attacker’s command and control server to receive updated hijacking instructions.

Stanley implements backup domain rotation to ensure survival even when authorities take down the primary server.

This means the extension automatically cycles through fallback domains to maintain operational control.

The toolkit has already compromised thousands of users, with the command and control panel displaying victim IP addresses, online status, and last activity timestamps.

Enterprises should consider strict extension allowlisting policies, while individual users need to reduce their installed extensions and scrutinize permission requests carefully.

The deeper problem remains that browser extension marketplaces approve extensions once and allow updates anytime, meaning malicious updates can slip through after initial review.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Lazarus Hackers Actively Attacking European Drone Manufacturing Companies

Next Post

800K+ GNU InetUtils telnetd Instances Exposed to RCE Attacks – PoC Released

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AI Poisoning Attack Abuses SEO and Hidden HTML to Trick AI Agents
July 3, 2026
Nebula AI Platform Automates Pen Testing to Find Vulnerabilities
July 3, 2026
PureLog Stealer Uses Blogspot and PowerShell to Deliver Malware
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us