A newly identified malware-as-a-service (MaaS) platform called Stanley is offering cybercriminals ready-made malicious browser extensions with a promise that they will pass moderation and be published in the official Chrome Web Store. This model dramatically increases the potential scale of compromise by turning trusted extension ecosystems into delivery channels for phishing and data theft.
New Stanley MaaS Targets Chrome, Edge and Brave Users
According to research by Varonis, Stanley is advertised on underground forums by a seller using the nickname “Stanley,” from which the platform takes its name. Unlike traditional exploit kits or phishing toolkits, Stanley is purpose-built for malicious browser extensions targeting Chrome, Microsoft Edge and Brave.
This focus aligns with a broader trend in cybercrime. Browser extensions are increasingly attractive to attackers because they run inside a highly trusted application, often with broad permissions to access web content, cookies, and credentials. Industry reports over recent years show that Google has removed thousands of extensions for violating security policies, underscoring how frequently this vector is abused.
How Stanley’s Malicious Browser Extensions Hijack User Sessions
Fullscreen iframe Overlays That Preserve the Legitimate URL
Stanley’s standout technique is its ability to intercept user navigation and overlay real websites with a fullscreen iframe. When a victim visits a legitimate site – for example, an online banking portal or cloud service – the malicious extension can hide the genuine page behind an attacker-controlled iframe loaded from a remote server.
Critically, during this attack the browser’s address bar continues to display the legitimate domain. From the user’s perspective, there is little to indicate that anything is wrong: the URL looks correct, the page appears full-screen, and the login form or payment form looks familiar. In reality, credentials, payment card details, or other sensitive information typed into the fake page are sent directly to the attacker.
This method enables highly convincing phishing and session hijacking campaigns that bypass many user-awareness defenses, because traditional advice to “check the URL” becomes less effective when the browser still shows the correct domain.
Tracking Victims and Bypassing Blocking Controls
Varonis’ analysis indicates that Stanley-powered extensions can identify victims by IP address, conduct geotargeting and correlate activity across sessions and devices. This allows operators to selectively target victims in specific countries, industries, or IP ranges, increasing their return on investment and reducing noise that could trigger detection.
The extensions maintain continuous contact with a command-and-control (C2) server, typically making requests every 10 seconds to retrieve updated rules and instructions. Built-in failover logic can automatically switch to backup domains if the primary C2 infrastructure is blocked or taken down, helping evade network filtering and maintain persistence.
Operators manage attacks via a web-based control panel where they can enable or disable interception rules in real time, configure which domains should be overlaid with phishing pages, and even push notifications directly into the victim’s browser. Those notifications can be used to lure users to additional malicious sites or trigger credential-harvesting workflows at specific times.
Stanley’s Subscription Model and Growing Risk to Organizations
One of the most concerning aspects of Stanley is its distribution and commercialization model. The seller claims to support automated and stealthy installation of extensions into Chrome, Edge and Brave, and offers assistance in passing Chrome Web Store moderation. Marketing materials emphasize that extensions are “guaranteed” to appear in the official store, significantly lowering barriers for attackers who lack technical expertise.
Stanley operates under a typical MaaS subscription model with multiple pricing tiers. The most expensive option, the Luxe Plan, reportedly includes a full web control panel, 24/7 support, and hands-on assistance with publishing malicious extensions in official marketplaces. This type of service industrializes cybercrime, enabling less skilled actors to launch large-scale phishing and fraud operations through seemingly legitimate channels.
The impact extends far beyond individual users. Once a malicious extension is installed, attackers may gain access to corporate email, cloud collaboration platforms, CRM systems, admin consoles, and financial applications accessed via the browser. Because modern enterprises heavily rely on browser-based SaaS, compromise at the extension level can result in widespread data exposure, business email compromise, and significant financial loss.
Practical Protection Against Malicious Browser Extensions
Defending against threats like Stanley requires a combination of technical controls, governance, and user education. Recommended measures include:
1. Limiting extensions to reputable publishers and well-known products. Regularly review installed extensions and remove anything unnecessary or suspicious.
2. Using centralized policies (such as Group Policy, enterprise Chrome and Edge policies, or MDM solutions) to enforce an allowlist of approved extensions in corporate environments.
3. Applying the principle of least privilege by granting browser extensions only the minimum permissions they need. Avoid approving extensions that request broad access to “all websites” or sensitive data without a clear business justification.
4. Deploying web filtering, Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB) solutions to monitor and block suspicious outbound traffic, including calls to unknown C2 domains used by malicious extensions.
5. Training employees to recognize signs of phishing and abnormal browser behavior, such as unexpected fullscreen login prompts, repeated credential requests, or unfamiliar in-browser notifications.
The emergence of MaaS platforms like Stanley illustrates how rapidly the criminal ecosystem around browser extensions is maturing. Organizations and individuals that treat browser security as a first-class concern—by monitoring extensions, enforcing policies, and layering network and endpoint defenses—will be far better positioned to withstand the next wave of malicious extensions that attempt to hide in plain sight inside official app stores.
