Skip to main content
The Backdoored Browser Extension: Following the C2 Beacon operation cover
COMING SOONBeginner

The Backdoored Browser Extension: Following the C2 Beacon

A routine Chrome auto-update silently trojanized a productivity extension on a finance workstation at Halverson Logistics. The extension beaconed to an attacker C2 domain, harvested the analyst's session cookies and an API token, and exfiltrated them to a VULTR-hosted server. With no malware on disk, the proxy and firewall logs are the only trail. Walk them step by step to trace the beacon, the theft, and the exfiltration.

25m
6 tasks
25 points
Free

Launches in 5 days

Jul 7, 2026

Tuesday, July 7, 2026 at 9:00 AM

Create your free account

Be ready the moment it drops — free forever.

Training Tools

SIEMFirewall

What you'll investigate

6 objectives unlock when this operation goes live.

1Brief: an extension that updated itself into a thief
2Find the domain the extension phoned home to
3Trace where the stolen cookies were sent
4Identify the malicious background script
5Find the browser storage key the config was hidden in
6Map the cookie theft to MITRE ATT&CK

Be first when it launches

Create your free account now. The moment this operation goes live on Jul 7, 2026, you can jump straight in — and you'll have the rest of the catalog to train on meanwhile.

Get Started Free

No credit card required — free forever