A new malware strain named Rilide is becoming a significant threat to Chrome and Edge browser users. It works as a deceptive browser extension designed to harvest login credentials from victims. The malware has been identified in campaigns targeting both corporate and individual users across North America and Europe. Several financial institutions and e-commerce platforms have reported cases of stolen credentials due to this attack.
Rilide’s integration with the victim’s browsing experience makes it challenging for traditional security solutions to detect.
The malware is primarily distributed through phishing emails or compromised websites that trick users into installing a seemingly legitimate extension. Once installed, the extension gains extensive permissions to monitor browser activity, intercept form submissions, and maintain persistence on the victim’s system.
Security researchers have identified Rilide’s ability to bypass browser security checks and extension verification processes, using obfuscation techniques. The malware captures credentials from over 300 popular websites, including banking portals and enterprise applications. Its rapid spread has resulted in approximately 75,000 installations worldwide since early March, posing a serious risk to business environments where compromised accounts could lead to further attacks.
Rilide’s infection process begins when the extension is installed and establishes persistence, even after a browser restart.
It injects event listeners into form submissions, capturing credentials before encryption. This allows it to bypass HTTPS protection and send data directly to the attacker’s server. Security experts recommend managing browser extensions carefully and using PowerShell logging to detect malicious activities.
