Ddos 
Attack Tree | Image: Cybereason
The Genesis Market, a notorious dark web marketplace dismantled by law enforcement in early 2023, appears to return. According to a new report by the Cybereason Global Security Operations Center (GSOC), the criminal infrastructure that once fueled the marketplace is resurfacing through the deployment of a malicious browser extension delivered via Lumma Stealer malware.
This new wave of attacks links Lumma Stealer with an advanced browser extension that mirrors the behavior of Genesis Market’s core functionality—harvesting, maintaining, and monetizing stolen credentials.
Originally launched in 2018, Genesis Market was one of the largest illicit platforms offering access to stolen credentials, cookies, device fingerprints, and full browser sessions from infected machines. At its peak, it contained data from over 1.5 million compromised systems and offered more than 80 million credentials for sale—including those tied to financial services, critical infrastructure, and government entities.
“Genesis Market has supplied the kind of access that ransomware attackers have used to target many organizations in the U.S., along with private sector organizations,” the report states.
Its ease of use—allowing buyers to search for credentials by geography, account type, or platform—and its unique approach to impersonation via browser fingerprints made it a favorite among cybercriminals. Despite its takedown under Operation Cookie Monster, the underlying techniques have not disappeared.
Cybereason’s investigation reveals that the new infection chain begins with a social engineering lure, usually a fake installer (e.g., “nvidia geforce experience.exe”) packed in a ZIP file. This archive contains an MSI installer, which sideloads a Lumma Stealer DLL and spawns a PowerShell script that downloads a base64-encoded browser extension payload.
“Lummastealer drops Genesis Market malicious browser extension as the final payload,” the report explains.
The extension is stealthily installed into browsers such as Chrome, Edge, Opera, and Brave. It modifies browser settings to ensure persistence, and executes JavaScript scripts that harvest data in real time from victims’ browsing sessions.
“These scripts are designed to systematically gather important information from victims’ devices.”
The extension deploys a vast array of surveillance and exfiltration features:
- Steals cookies, clipboard data, browser history, tabs, and login credentials
- Captures screenshots and harvests Gmail, Yahoo, and Outlook email data
- Extracts payment details from Google Pay, Coinbase, and Facebook Pay
- Hijacks YouTube channels and cryptocurrency wallets
- Sets up a reverse proxy via WebSocket to maintain a live link with C2 servers
The data is exfiltrated to domains like true-lie[.]com and resolved via blockchain transactions, complicating takedown efforts and increasing operational resilience.
To remain undetected, the extension disables content security policies (CSP) and strips headers such as X-Frame-Options and X-WebKit-CSP, leaving browsers vulnerable to clickjacking and XSS attacks. It also uses JavaScript-based alarms and background pages to trigger ongoing exfiltration even after reboot.
The extension’s background behavior mimics legitimate tools, like the “Save to Google Drive” extension, to avoid detection.
Donate