Researchers at Varonis have discovered a new malware-as-a-service (MaaS) offering, dubbed "Stanley," which allows malicious Chrome extensions to evade Google’s review process and be listed on the official Chrome Web Store. Dubbed after the alias of the seller, Stanley is also designed to target other popular browsers like Edge and Brave, making it easier for phishing attacks to be deployed. The service is offered at high-end pricing tiers, going up to $6,000, and is designed to make it easier for malicious actors with less technical knowledge.
The main functionality is achieved through the use of a full-screen iframe overlay of phishing content on top of legitimate websites, with the browser’s address bar still visible to maintain a level of authenticity. The user is presented with interfaces for trusted websites, such as banking websites, but their interactions are instead routed to attacker-controlled pages that are designed for phishing. Other functionalities include IP targeting, geographic filtering, cross-device session correlation, and Chrome-native push notifications to improve user engagement.
The attackers use a web-based control panel to dynamically change hijacking rules, poll command-and-control (C2) servers every ten seconds, and change backup domains to make it more difficult to take down. The service offers subscription plans, with the final option being a "Luxe" plan that includes full support for publication to the Web Store and customization options. Despite the code being described as "rudimentary" with Russian-language comments and poor error handling, the step-by-step implementation of known techniques seems to offer high levels of effectiveness.
This development exacerbates ongoing issues with the Chrome Web Store, where malicious extensions have repeatedly evaded detection, as noted in recent Symantec and LayerX reports. Varonis highlights Stanley's distribution promise as its standout feature amid rising browser add-on threats. Google has been contacted for comment, but such incidents underscore persistent vetting gaps in the ecosystem serving billions.
Users must adopt vigilant habits: install only essential extensions, scrutinize developer reputations and reviews, and enable browser protections like Enhanced Safe Browsing. Enterprises should enforce extension whitelisting and monitor for anomalous behavior via endpoint detection tools. As MaaS evolves, staying proactive against store-approved threats remains critical for cybersecurity in 2026.