Hackers using malicious Firefox extension to phish Gmail credentials

Hackers using malicious Firefox extension to phish Gmail credentials

The malicious Firefox extension is called FriarFox which is also being used by Chinese hackers to spy on Tibetan activists.


For years, China has been accused of spying on minorities, activities, and journalists but according to researchers, the country’s spying tactics are only getting persistent and sophisticated. In the latest research, researchers have linked a Chinese government-backed hacking group with spying and phishing attacks against Minorities and Tibetan activists.

Chinese State-Sponsored Hackers Spying on Tibetan Activists


Proofpoint researchers have discovered a new campaign in which Chinese Communist party-backed advanced persistent threat (APT) targets Tibetan organizations and activists through a malicious Firefox extension.


The group is tracked as TA413 and has been previously involved in attacks against the Tibetan community. Back then, the group leveraged COVID-themed campaigns to distribute Sepulcher malware. However, even at that time, the primary goal was to conduct civil dissident surveillance and espionage.



COVID-19 Themed TA413 Malicious RTF File (Image source: Proofpoint)


1 of 2

Phishing Campaign Continuing since March 2020


According to the Sunnyvale-based enterprise security firm, low-level phishing campaigns against Tibetans were discovered first in March 2020 and have continued ever since. The threat actors are delivering a customized Firefox browser extension to hijack users’ Gmail accounts.



“Threat actors aligned with the Chinese Communist Party’s state interests delivered a customized malicious Mozilla Firefox browser extension that facilitated access and control of users’ Gmail accounts,” Proofpoint researchers noted in their  hackers using malicious firefox extension phish gmail credentials