Rilide: Unmasking the Information-Stealing Browser Extension Threat

In today’s digital landscape, cybersecurity threats continue to evolve in sophistication. Rilide represents one such advanced threat – a dangerous information stealer disguised as a legitimate browser extension. First identified in April 2023, this malware specifically targets Chromium-based browsers like Google Chrome and Microsoft Edge, with alarming capabilities designed to compromise user security.

What Makes Rilide Dangerous?

Rilide is no ordinary malware. Once installed, it can:

• Capture screenshots of sensitive information
• Log passwords entered into websites
• Steal credentials for cryptocurrency wallets
• Operate silently while users remain unaware

Delivery Mechanisms Explained

The malware spreads through multiple sophisticated channels, with phishing websites being the most prevalent vector. Security researchers have documented Rilide masquerading as trusted extensions including those from Google Drive and Palo Alto Networks.

Evolution to Manifest V3

By August 2023, Rilide had adapted to work with Chrome Extension Manifest V3, demonstrating the malware authors’ commitment to evading detection. These adaptations included:

• Removing capabilities to execute external logic via executeScript(), eval(), and new Function()
• Adjusting to Manifest V3’s prohibition of remotely hosted files
• Packaging all malicious logic within the extension itself

Three Primary Attack Vectors

1. PowerPoint Phishing Campaign
   • Uses deceptive PowerPoint files as lures
   • Redirects users to phishing websites
   • Downloads the Rilide stealer upon interaction
2. Social Media Deception
   • Leverages Twitter as the initial contact point
   • Redirects users to phishing websites
   • Downloads executable files that deploy the malicious extension via LNK files
3. Combined Approaches
   • One variant uses Google Ads instead of Twitter
   • Another employs a PowerShell loader to install Rilide directly
   • The exact delivery mechanism of the PowerShell loader remains unclear

Anatomy of a Rilide Attack: Technical Analysis

The PowerShell Dropper Stage

In late November 2024, VMRay released details about a PowerShell script used to deploy Rilide. As of March 15, 2025, this script remained largely undetected, with only four security vendors flagging it as malicious in VirusTotal.

First Stage Execution

When executed, the PowerShell script launches another hidden PowerShell instance that processes base64-encoded commands. The script employs several obfuscation techniques:

1. Base64 encoding of the initial payload
2. Character substitutions within the encoded content
3. XOR operations to further obfuscate the actual payload
4. Passing the manipulated content to PowerShell’s DownloadString function

Analysis of the encoded domain revealed it was registered through NameCheap on October 5, 2024, approximately one month before VMRay’s report.

Second Stage – Command Execution

The second stage involves retrieving obfuscated code from the remote server that undergoes character conversions:

Original ValueNew Value!l*d"T'H;F

Third Stage – Rilide Installation

The final decoded payload contains the actual Rilide extension installation code, which:

1. Attempts to gather the current user’s SID
2. Generates a random 80-character alphanumeric string
3. Converts byte strings to UTF-8 encoded strings containing extension data
4. Creates paths targeting multiple web browsers
5. Writes the Rilide extension files to disk after performing character replacements

Protecting Your Systems: Mitigation Strategies

Extension Management Best Practices

• Verify extension sources
  • Avoid installing extensions from untrusted or third-party websites
  • Remember that even official browser stores occasionally contain compromised extensions
• Review permissions carefully
  • Examine requested permissions before installing any extension
  • Question why an extension might need extensive access
• Conduct regular audits
  • Periodically review all installed extensions
  • Remove any that are no longer necessary

PowerShell Measures

• Enable comprehensive logging
  • Activate Module Logging and Script Block logging
  • Integrate PowerShell logs with SIEM or centralized log management solutions
• Implement access restrictions
  • Limit PowerShell execution capabilities to only essential users
  • Apply principle of least privilege to PowerShell access

About the Research

This analysis draws from detailed security research conducted by PulseDive Threat Research, highlighting the ongoing evolution of browser-based threats. For more comprehensive information on this attack vector and similar threats, readers are encouraged to visit the source website for additional resources and technical details.