Full Report
Extensions load unknown sites into invisible Windows. What could go wrong?
Analysis Summary
# Tool/Technique: MellowTel-js and Associated Browser Extensions
## Overview
A collection of approximately 245 browser extensions (for Chrome, Firefox, and Edge) that incorporate the `MellowTel-js` JavaScript library. These extensions are designed or configured to turn the users' browsers into distributed bots for scraping websites on behalf of paying customers, notably associated with the Olostep web scraping service.
## Technical Details
- Type: Attack Tool Framework / Malicious Payload (via extension updates/design)
- Platform: Chrome, Firefox, Edge (Browser Extensions)
- Capabilities: Executes website scraping, overrides core browser security protections, establishes WebSocket connections to collect user metadata (location, bandwidth, heartbeat).
- First Seen: Evidence pertains to recent reporting in July 2025.
## MITRE ATT&CK Mapping
Given the context of installing extensions that perform unauthorized actions on behalf of a third party, the primary focus is on Collection facilitated by compromised user systems.
- **TA0009 - Collection**
- T1005 - Data from Local System (Implied scraping of visited site data, though primarily focused on resource provision)
- **TA0011 - Command and Control**
- T1102 - Web Service (Extensions communicate with centralized AWS servers to report status and receive jobs)
## Functionality
### Core Capabilities
- **Website Scraping Proxy:** Utilizing the resources (IP address, browser context) of nearly 1 million installed extensions to fulfill web scraping requests submitted by paying customers (e.g., Olostep).
- **Monetization Mechanism:** Allows extension developers to monetize their applications by integrating the MellowTel library, which claims to share bandwidth bandwidth.
### Advanced Features
- **Security Evasion:** The extensions are described as "overriding key security protections" of the browser during scraping operations.
- **Resource Telemetry:** Establishing a WebSocket connection to an AWS server to report on the user's status, including location, available bandwidth, and heartbeats.
- **Job Distribution:** Distributing web scraping requests from services like Olostep across the network of active extensions running the MellowTel library.
## Indicators of Compromise
- File Hashes: [Not specified in the source text]
- File Names: [Not specified in the source text - refers to approximately 245 extensions]
- Registry Keys: [Not applicable to browser extensions directly, though persistence is managed by the browser profile]
- Network Indicators: AWS servers utilized for Command & Control/Telemetry.
- Behavioral Indicators: Establishing outbound WebSocket connections shortly after activation; high volume, automated HTTP requests matching scraping profiles originating from legitimate user browser processes.
## Associated Threat Actors
- **MellowTel Inc. (Library Developer):** Created and maintains the monetization library.
- **Olostep:** A web scraping API service identified as a likely primary customer utilizing the distributed network.
- **Extension Developers:** Developers who implemented the MellowTel SDK to monetize their tools (which include utilities like volume boosters, clipboard managers, etc.).
## Detection Methods
- Signature-based detection: Difficult as the execution payload is integrated into legitimate-appearing extensions; signatures would focus on the MellowTel JS library artifacts within extension code.
- Behavioral detection: Monitoring for extensions initiating unexpected WebSocket connections to external servers, especially when reporting system resource metrics (location, bandwidth). Monitoring for unusual network activity originating from browser processes that mimics automated scraping patterns.
- YARA rules if available: [Not specified in the source text]
## Mitigation Strategies
- **Prevention measures:** Users should exercise extreme caution when installing browser extensions, especially those that request broad permissions or function outside their stated purpose. Auditing installed extensions regularly.
- **Hardening recommendations:** Browser security settings should be reviewed to minimize permissions granted to extensions. Avoid installing extensions from unofficial sources if possible; rely on centralized, highly vetted stores.
## Related Tools/Techniques
- **Olostep:** The identified customer/service leveraging the distributed scraping network.
- **Proxy/Botnet Operations via Legitimate Applications:** This behavior mirrors the technique of embedding hidden botnet functionality within seemingly benign software or browser extensions to monetize user resources without explicit consent for malicious purposes.