A new malware‑as‑a‑service kit called Stanley has emerged on an underground forum, enabling phishing while the legitimate address remains visible in the browser, according to Varonis. Priced between $2,000 and $6,000, Stanley was first spotted on 12 January and allegedly offers extensions with a guaranteed publication on the Chrome Web Store.
The toolkit provides a web‑based management panel that shows infected hosts, their IP addresses, online status and last activity, and lets operators configure target‑specific URL hijacking rules. Notably, it can overlay a phishing page while the browser’s address bar displays the legitimate URL, and it supports real‑time notification delivery that carries implicit trust because the alerts originate from Chrome itself.
Analysis of a sample extension built with Stanley revealed it can request permissions to take control of visited sites, implement a persistent C&C polling mechanism, and orchestrate full‑screen iframes to present the phishing content. Stanley’s pricing and capabilities make it accessible to a broad range of criminals, with extensions potentially remaining active in the Chrome Web Store for months while harvesting credentials.