A new malware-as-a-service (MaaS) kit called “Stanley” is offering users guaranteed publication in the Chrome Web Store, bypassing Google’s security verification process, according to researchers at Varonis.
“For $2,000 to $6,000, Stanley provides a turnkey website-spoofing operation disguised as a Chrome extension, with its premium tier promising guaranteed publication on the Chrome Web Store,” Varonis says. “We reported this to the Chrome Web Store and hosting provider on January 21, 2026. The C2 was taken offline the next day, but the extension remains live.”
After a user installs the malicious extension, the attackers can change the URL that appears in the address bar while showing the user a phishing page.
“Once a target is selected, attackers configure URL hijacking rules specific to that user,” the researchers explain. “They set a source URL (the legitimate site to hijack) and a target URL (the phishing page to display). Rules can be activated or deactivated per infection, allowing operators to stage attacks and trigger them on demand. The interface makes this trivially simple: a ‘new redirect’ dialog accepts any source/target pair.”
Additionally, the attackers can trigger legitimate Chrome notifications to lure users to phishing sites.
“The $6,000 price tag likely reflects the value of the Chrome Web Store publication guarantee and the management panel rather than the complexity of the code itself,” Varonis says.
“That guarantee is what makes the usual advice insufficient. ‘Only install from official stores, check reviews, look for verified badges’ doesn't help when malicious extensions pass Google's review process and sit in the Chrome Web Store alongside legitimate tools. Once published, these extensions can remain active for months before detection, quietly harvesting credentials from thousands of users.”
AI-powered security awareness training can give your organization an essential layer of defense against evolving social engineering attacks. KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 HRM+ platform to strengthen their security culture and reduce human risk.
Varonis has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
