BlackStink 2025 campaign: Stealthy banking-fraud Chrome extension targets LATAM banks

This article was made possible thanks to contributions by Tal Langus, Amir Gandler and Camila Sablotny.

When a surge in anomalous transaction behavior surfaced across multiple Latin American (LATAM) financial institutions, IBM Trusteer’s Fraud Analytics and Malware Research teams were engaged to investigate. These institutions, already fortified with Trusteer’s Pinpoint Detect (PPD) for detecting Remote Overlay Malware through behavioral and user flow anomalies, now faced a new challenge: fraudulent transfers that appeared to originate from genuine user activity, including real-time manipulation of transaction amounts and destination accounts.

Upon deeper analysis, the investigation revealed a new and stealthy malware campaign leveraging advanced WebInject techniques to bypass traditional detection mechanisms. This variant, later classified as BlackStink, employed a malicious Chrome extension designed specifically to target LATAM banking portals.

Trusteer’s rapid identification and response enabled the swift development of targeted detection rules, effectively neutralizing the threat. The malware signature was quickly shared across the Trusteer ecosystem, reinforcing defenses for other regional banks and preempting similar attacks.

Malicious Chrome extensions have become an increasingly popular attack vector for cyber criminals due to their ability to operate inside the user’s browser with elevated privileges while appearing harmless. These extensions often mimic legitimate applications such as productivity tools, security add-ons or even casual browser games using familiar branding, names and icons to avoid suspicion. In many cases, victims do not knowingly install these extensions; instead, the malware responsible for the initial infection silently adds them to the browser, bypassing the Chrome Web Store entirely or abusing sideloading mechanisms. Once installed, the extension runs in the background with permissions that allow it to monitor browsing activity, manipulate web content, intercept form data and interact with banking or financial websites in real time. Because the extension blends into the browser’s normal interface and behaves like a legitimate app, most users remain unaware of its malicious nature, giving attackers a persistent foothold for credential theft, session hijacking and automated fraudulent transactions.

BlackStink is a sophisticated malware family that also deploys a malicious Chrome extension to carry out advanced web injection attacks against banking and financial websites.. Once active, it can dynamically inject deceptive overlays into legitimate banking pages to harvest credentials, account details and transaction data. Beyond simple credential theft, BlackStink is capable of auto-filling and auto-submitting forms, simulating user actions and executing automatic transactions—allowing attackers to move funds in real time without the victim’s awareness. To evade detection, the malware disables certain browser security features and leverages heavily obfuscated JavaScript to conceal its behavior and complicate analysis.

In this blog, we will examine BlackStink’s latest campaign in detail—covering its tactics, techniques and procedures (TTPs), analyzing the inner workings of its malicious Chrome extension and explaining the web injection methods it employs.

The malware installs a Chrome extension in the background and updates it as new versions become available, embedding multiple evasion techniques to avoid detection. Our threat researchers have observed several variants of the extension across different infections.

The malicious Chrome extension used in the latest BlackStink campaign is crafted to mimic a legitimate Google Docs service, complete with a Spanish-language name and description (“G Docs - Servicio de almacenamiento de documentos en la nube”) to blend in with targets across LATAM.

Behind this façade, its manifest.json reveals capabilities far beyond a benign productivity tool. The extension’s content_scripts run on <all_urls> with all_frames: true, ensuring its injected JavaScript (index.js) executes across every website and within embedded frames—a perfect setup for targeting banking portals and their login or transaction widgets. With powerful permissions like webNavigation, scripting, tabs and storage, it can detect when a victim visits a financial site, inject deceptive overlays, prefill and submit forms, simulate clicks and exfiltrate sensitive data. The presence of a service_worker (background.js) allows persistent communication with attacker-controlled infrastructure, while a hardcoded update_url pointing to a typosquatted domain enables off-store, silent updates to rotate payloads or configurations without user interaction. By embedding an RSA key, the attackers ensure the extension maintains a fixed ID across installations, a tactic often used to preserve persistence across updates or reinstallation.

• “name”: “G Docs - Servicio de almacenamiento de documentos en la nube”

Impersonates Google Docs branding to appear legitimate and trick users into installing it. This is a common social-engineering tactic.

• “update_url”: Off-store update mechanism that allows the attacker to push new, potentially more harmful versions of the extension without Chrome Web Store review
• “key”: “RSA key”

Suggests the extension is sideloaded or distributed outside the official store. This locks the extension ID and helps persist malicious updates.

• “permissions”: [ “activeTab”, “webNavigation”, “storage”, “tabs”, “scripting” ]

Grants excessive privileges:

• webNavigation enables monitoring of all browsing activity to detect when victims land on banking sites
• scripting and tabs allow injecting and executing arbitrary code into any open page
• activeTab and storage provide control and persistence for attack logic
• “content_scripts”: { “matches”: [“<all_urls>“], “all_frames”: true }

Red flag: full access to every page the user visits, across all frames (including iframes). This allows credential theft, session hijacking, and injection into banking portals.

• “background”: { “service_worker”: “background.js” }

Persistent background logic that can coordinate data exfiltration, command-and-control, and conditional attack triggers without user interaction.

• “content_security_policy”: { “extension_pages”: “script-src ‘self’; object-src ‘self’” }

Minimal CSP, leaving room for obfuscation and potentially unsafe script execution. Attackers often keep this loose to maximize exploit flexibility.

Initial reconnaissance & bank detection - The malware performs reconnaissance to identify target banking websites and their specific transfer pages.

The malware focuses exclusively on financial institutions in LATAM, where it injects fake transfer forms. The long list of banks is not for attacking them directly, but for automatically recognizing the victim’s chosen destination bank. This allows the injected form to display the correct bank name while silently redirecting funds to an attacker-controlled account.

Form cloning & content replacement - The malware clones legitimate banking forms and replaces their content with malicious versions while hiding the originals.

Malicious form injection - Injects sophisticated fake banking forms that mimic legitimate transfer interfaces with pre-filled malicious data.

Presents users with convincing fake forms that steal banking credentials and transfer information.

Button manipulation & event hijacking - Replaces legitimate banking buttons with malicious versions that intercept user actions and trigger unauthorized transfers.

Ensures user interactions trigger malware functions instead of legitimate banking processes.

Banking limits extraction - Queries banking systems to extract transaction limits and account information for optimizing theft amounts.

Determines maximum theft amounts based on account limits and banking policies.

Full-screen overlay creation - Creates sophisticated full-screen overlays that completely take over the banking interface and hide malicious activities.

Completely controls the user interface, preventing access to legitimate banking functions while executing malicious transfers.

Cross-frame communication & data exfiltration - Uses postMessage API to communicate between different frames and exfiltrate stolen banking data to command & control servers.

Establishes communication channels for data theft and remote control of the banking session.

The malware uses legitimate-looking domains and analytics services to avoid detection while systematically stealing banking data and maintaining persistent access to victim accounts, all executed silently in the background through the extension’s service worker.

Final stage, the attacker completes with ATS:

The malware performs actual money transfers by directly calling the banking API through the postToBank function. It constructs legitimate-looking HTTP POST requests to the bank’s transfer endpoint while spoofing browser headers and using the victim’s authenticated session cookies. This allows the malware to execute real financial transactions without the victim’s knowledge, transferring funds to attacker-controlled accounts.

By detecting and neutralizing this sophisticated malware family early, IBM Trusteer not only safeguarded its customer from potential harm but also reinforced broader defenses across the LATAM region. The investigation uncovered multiple evolving variants, each designed to evade traditional detection through browser-based injection and session manipulation techniques. The attackers behind this campaign are highly organized and have invested significant effort in mapping banking pages and applications, indicating they are here to stay. We can therefore expect frequent updates, new variants and ongoing activity from this threat group. This case underscores the speed, precision and intelligence-led response required to stay ahead of today’s most evasive fraud tactics—reaffirming IBM Trusteer’s commitment to helping financial institutions defend against threats before they surface.

We recommend that users review their installed browser extensions and remove any that are unnecessary or unfamiliar, as they might pose a security risk.

We also recommend that you manually validate each transaction on accounts that are affected by this malware.

Customers and applications using the IBM Trusteer Pinpoint Detect solution identify the malware as BlackStink on infected devices and record its presence on compromised devices.

IBM® Trusteer® Pinpoint Detect – Detects BlackStink malware on infected devices to flag fraudulent activity risk.

IBM Trusteer Pinpoint Detect is real-time, cloud-based risk assessment software that analyzes online identities to differentiate between malicious users and true customers. Pinpoint Detect uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect end-user devices infected with high-risk malware. Targeted customers are notified by our support team when applicable.

Extension ID:

oeibmahkcodkjoicdohdhdiljbpgphcd

cioeengfhclkldbmjejfbdfplbophhhm

ogahgeimfaaohdjchpkichciopegebpn

Domains

hxxp://daemon[.]vulnmetricshub[.]com

hxxp://cronjob[.]ciphertrackai[.]com

hxxp://statistic[.]chromenalitycs[.]com

hxxp://secur[.]itychromenetworc[.]com

hxxp://sinc[.]safechromewebtool[.]com

Reference: 

https://blog.scilabs.mx/en/2022/12/15/new-threat-blackstink-man-in-the-browser-malware-campaign-targeting-mexico/