SlowMist Reports Advanced TRON Wallet Phishing Attack With Chrome Extension Impersonation And Remote Iframe Loading

Threat intelligence firm SlowMist reported that it has identified a high-risk phishing campaign aimed at TRON wallet users, involving a malicious Chrome MV3 extension designed to impersonate the Threat intelligence firm SlowMist reported that it has identified a high-risk phishing campaign aimed at TRON wallet users, involving a malicious Chrome MV3 extension designed to impersonate the TronLink Wallet brand. 

According to the analysis, the attack combines deceptive branding, remotely loaded user interfaces, and data-exfiltration mechanisms in a layered structure intended to capture wallet credentials while reducing the likelihood of detection during review.

The first stage of the campaign centers on a fraudulent browser extension that mimics a legitimate TRON-related tool. SlowMist said the extension relies on Unicode bidirectional control characters and Cyrillic homoglyphs to make its name appear similar to the official TronLink label. Although the package itself presents as a low-permission extension, its behavior changes after installation. When the user opens the popup, the extension checks a remote endpoint and, if available, loads a full interface from an external iframe rather than relying on a static local page.

That remote component forms the second stage of the operation. The phishing site closely imitates the look and function of the TronLink web wallet, including the pages used to import mnemonic phrases, private keys, and keystore files. SlowMist said the interface collects sensitive information such as recovery phrases, private keys, keystore data, and passwords, then forwards it through server-side APIs to attacker-controlled infrastructure. The report indicated that the data is relayed in real time through the Telegram Bot API.

The extension also stores several local markers, including information about whether the remote service is reachable, the URL used for the iframe, and recent search records. SlowMist noted that these items can remain in local storage until the extension is removed. Because the visible popup content is pulled from a remote source, the malicious behavior can be changed without modifying the extension package itself, complicating static analysis and conventional store review procedures.

Inside TRON Phishing Campaign: Anti-Analysis Techniques, Geo-Targeting, And Multi-Layer Attack Architecture

According to the report, the phishing page includes additional safeguards meant to hinder investigation. These measures include blocking right-click actions, disabling text selection, intercepting developer tools shortcuts, suppressing console output, preventing dragging, and blocking print commands. The page also tracks visitor behavior and checks whether a session should be blocked, redirecting suspicious traffic to a blank page. SlowMist said these controls are intended to frustrate sandbox testing and automated inspection.

The analysis further described geographic filtering logic, with users detected from Russian-language settings or Russian time zones being redirected to a separate domain. SlowMist interpreted this behavior as either region-specific phishing handling or an attempt to avoid attention from local investigators. The main infrastructure was identified as a remote domain hosted on Vercel, while other legitimate TRON ecosystem services embedded in the code were described as part of fallback or query functionality rather than malicious activity.

SlowMist characterized the operation as a two-layer attack model in which a deceptive browser extension acts as the initial contact point while a remotely controlled web page carries out the actual credential theft. The company said this design illustrates how malicious actors can separate visible shell components from hidden backend behavior, making the campaign harder to identify through routine static checks alone. 

The warning was issued as a reminder for users and security teams to treat unauthorized extensions with caution, review installed browser add-ons, and monitor for unusual traffic tied to wallet-import workflows and related phishing infrastructure.

The post SlowMist Reports Advanced TRON Wallet Phishing Attack With Chrome Extension Impersonation And Remote Iframe Loading appeared first on Metaverse Post.