Cyberhaven Extension Compromise: TLS Certificates Reveal Hidden Infrastructure

Introduction

In late December 2024, a phishing attack targeting an employee of Cyberhaven led to the compromise of their Google Chrome extension. Cyberhaven's preliminary analysis details how the attacker used stolen credentials to publish a malicious version, 24.10.4, on the Chrome Web Store. Active for approximately 24 hours, the compromised extension could exfiltrate cookies and session data from several targeted websites.

Additional domains and IP addresses tied to the activity were shared on X, highlighting overlaps with a broader campaign believed to target Facebook advertising accounts. Combined, these indicators provide context to the scope of the operation, suggesting a coordinated effort to exploit authenticated sessions for financial gain, similar to a group Infoblox tracks as Savvy Seahorse.

Building on Cyberhaven's analysis and valuable contributions from the cybersecurity community, we identified a TLS certificate connecting previously reported IPs/domains with additional connections tied to this campaign. Our scanners first observed the certificate in early February 2024 and again as recently as early December 2024. 

Although there are notable overlaps between the Cyberhaven incident and the infrastructure detailed in the Infoblox report, further analysis is required to confirm any definitive links or attribution to the same group.

From IoC's to a TLS Certificate

Cyberhaven's analysis identified two IP addresses and two domains as command-and-control servers involved in the compromise:

• 149.28.124[.]84
• 149.248.2[.]160
• cyberhavenext[.]pro
• api.cyberhaven[.]pro

Using Hunt to analyze these IPs, we determined both servers are hosted on The Constant Company, LLC network, with geolocations in the United States. Additionally, the "Domains" tab within Hunt's overview page surfaced several indicators of compromise aligning with prior public reporting.

SSL History Reveals Patterns in Certificate Usage

Focusing on the SSL history for 149.248.2[.]160, uncovered numerous certificates issued by Let's Encrypt. These certificates followed a recognizable pattern in their structure, using formats like [api/app].[spoofed extension name].[TLD]. Frequent rotation was evident, with some certificates remaining active for a single day before activity ceased entirely on January 4, 2025.

One certificate, using the common name admin.tkv2[.]pro, was active from February 9 to February 14, 2024, before being replaced on the 15th, stood out to us. This early record may represent the threat actor's initial setup before adopting a more dynamic approach involving frequently rotated certificates.

Examining the SSL history for 149.28.124[.]84, we observed the same *.pro common name on a Let's Encrypt certificate, active from November 5 to December 4, 2024. This indicator appears to have served as an interim stage in the threat actor's infrastructure, preceding a shift to updated certificates every few days. 

Another record associated with this IP, moonsif[.]store, was reported by Secure Annex, further reinforcing the connection to malicious activity.

Expanding the Infrastructure

Using Hunt's "Certificate IPs" feature, we pivoted on the admin.tkv2[.]pro certificate, identifying a cluster of 19 servers sharing the same Let's Encrypt certificate. While a full list of these IPs is included at the end of this post, Figure 3 demonstrates the recurring theme of infrastructure hosted on The Constant Company network. This suggests a preference by the threat actor for specific hosting providers, likely to streamline their operations.

Finding Associated IPs with HuntSQL™

For users of HuntSQL™, identifying both past and recent IPs tied to a specific TLS hash is straightforward. The following query can be used to search for IPs and ports associated with the certificate hash 714936FFF8B5A1FDFB793470A8B8BC0096DD1FFCF4EC2154826196B043F5EF69, filtering results for activity after February 1, 2024:

Copy text
  SELECT 
    ip, 
    port 
  FROM 
    certificates 
  WHERE 
    certificate_hash == '714936FFF8B5A1FDFB793470A8B8BC0096DD1FFCF4EC2154826196B043F5EF69' 
    AND 
    timestamp.day > '2024-02-01' 
  GROUP BY 
    ip, port

Figure 4 below displays the most recent results of this query.

Broader Infrastructure Analysis

Of the 19 IPs linked to the previously discussed TLS record, 18 were hosted by Vultr on The Constant Company ASN, while Psychz Networks hosted one. Geographically, most of the infrastructure was based in the United States, with a smaller presence in Europe and one server in Singapore. All observed IPs associated with the record were configured to use HTTP port 443.

To better understand the threat actor's use of infrastructure, we selected a few servers from both the earlier stages of their activity and more recent operations.

45.76.225[.]148

45.32.69[.]11

140.82.45[.]42

Reviewing earlier activity reveals that the domains maintained consistent structures, mimicking known organizations and extensions as far back as January 2024, long before the Cyberhaven incident came to light. This timeline suggests the threat actor likely prepared these domains for broader use, with Cyberhaven being just one of several potential targets.

Below, we'll examine a selection of these earlier IPs to shed light on their role in the campaign.

80.240.21[.]36

140.82.50[.]201

Reviewing both recent and historical infrastructure reveals consistent domain patterns, with activity traced back to early 2024. This continuity suggests the threat actor has maintained their infrastructure over an extended period, indicating a long-running, organized operation targeting multiple entities.

Conclusion

Our findings highlight the breadth and longevity of the infrastructure tied to the Cyberhaven Chrome extension compromise. By pivoting on a TLS record, we identified 18 servers heavily relying on Vultr. The infrastructure showed consistent domain patterns targeting well-known websites and extensions dating back to early 2024, well before the Cyberhaven incident, suggesting a long-running campaign. This suggests that the domains and IPs observed were likely prepared and repurposed for multiple operations over time.

While there are similarities to techniques associated with groups like Savvy Seahorse, further analysis is required to establish concrete links. We invite the broader research and security communities to contribute to uncovering additional indicators, helping to expose and disrupt the adversaries responsible for this campaign.

Network Observables