Table of Contents

Stolen Pencil – A New Malware Campaign
Malware News /

Stolen Pencil – A New Malware Campaign

Yes, we might have heard of someone stealing a pencil and then being caught. But, this time pencil thieves aren’t easy to catch. As this time, the pencil is nothing but your personal information, which is being stolen by cyber attackers.

A new malware campaign was spotted recently dubbed as Stolen Pencil Malware Campaign. This malware campaign is being used to steal victim’s credentials and personal data. The distribution of the infection is being done through spear phishing emails that installs a malicious Chrome extension on the system. Let us know exactly how this Stolen Pencil Malware campaign works.

Modus Operandi

The malicious Chrome extensions installed on the system execute some very important functions and activities. After installation, extensions run a JavaScript from a separate domain. But, when opened, the file contains jQuery code that is being replaced by attackers to fake the analysis or to stay hidden from detectors. The extensions are capable of reading data from every web page victim is visiting, can steal browser cookies, passwords and can also forward emails from some inauthentic accounts and IDs.

Once the attackers get their hands on personal information of the victim, next step they do is bridge a connection between the infected system and the server. For this, attackers are using RDP (Remote Desktop Services) to stay hidden from the network. And, the list of tools being used to execute this task are also confined to some limits. The list of tools consists KPortScan, PsExec, Mimikatz, NirsoftSniffPass, Nirsoft WebBrowserPassView, etc.

Also Read : How Important Is Password Manager To Avoid Malware Attacks?

To distribute this malware, several phishing domains were used. Some of them are:

  • client-message[.]com
  • world-paper[.]net
  • docsdriver[.]com
  • grsvps[.]com
  • coreytrevathan[.]com
  • gworldtech[.]com


Well, Google itself handles the web and network security very well. And, it has almost removed hundred and thousands of unauthorized, suspicious and malicious extensions from Google Chrome. But, still to be on the safe side and to stay secure, there are some user-side preventions that must be implemented. Some of them are:

  1. It is recommended that users check the extensions list on daily basis that are installed on their Google Chrome web browser. And, if any malicious or inauthentic extension is found, remove it manually or you can use some clean up tool to perform the task automatically.
  2. Users are recommended to use firewall security so that it restricts and stop attackers from accessing remote desktop.
  3. Detect and delete suspicious and inauthentic emails and attachments. Make sure the attachment in the mail is an authentic file and good to download or extract. Also, it is not recommended to open any URL attached in emails even if it’s from your contact. If you want to visit the URL, hop in directly from web browser.
  4. Block attachments with file extensions such as:


  1. Create a whitelist of trusted software that you use, so that no unauthorized or third-party software can get its hands-on system information.

Must Read : How To Safeguard Yourself Against Encrypted Email Malware

So, this was all folks! This is all about Stolen pencil malware campaign, about how it works, and what preventions one needs to stay safe. Make sure, you are using best security tool to keep away from potential risks and cyber threats like stolen pencil malware. And if not, try to use the above preventions to keep your personal data and information secure. Stay safe and happy browsing!

Leave a Reply

Your email address will not be published. Required fields are marked *