Satacom Downloader Campaign Exploits Browser Extensions to Drain Bitcoin Wallets

A sophisticated malware campaign leveraging the Satacom downloader, also known as LegionLoader, has been discovered actively stealing Bitcoin from unsuspecting cryptocurrency users through malicious Chromium-based browser extensions. The campaign, detailed in a Kaspersky advisory published in early June 2023, highlights a growing trend of threat actors targeting the intersection of web browsers and digital asset management.

The Exploit Mechanics

The attack begins with malvertising — deceptive download buttons injected into legitimate websites through the abuse of the WordPress QUADS advertising plugin. Users who click these buttons are redirected through a chain of servers to fake file-sharing portals hosting malicious ZIP archives. These archives, approximately 7MB in size, contain legitimate DLL files alongside a malicious Setup.exe executable inflated to 450MB with null bytes to evade antivirus analysis.

Once executed, the installer employs a process hollowing technique, injecting its payload into a sub-process of Windows Explorer. This allows the malware to operate stealthily within a trusted system process, significantly complicating detection by traditional security software. The payload uses RC4 encryption to protect its configuration data and communication strings.

The end goal is the installation of a malicious Chromium browser extension that communicates with a command-and-control server. Critically, the C2 server address is stored within Bitcoin transaction data on the blockchain — an ingenious technique that makes the infrastructure nearly impossible to take down through conventional means.

Affected Systems

The campaign targets users of Chromium-based browsers — which includes Google Chrome, Microsoft Edge, Brave, and numerous other popular browsers that collectively command over 65% of the desktop market. The malicious extension deploys various JavaScript scripts that perform web injections on targeted cryptocurrency exchange and wallet websites, manipulating transaction details in real time to redirect funds to attacker-controlled addresses.

Perhaps most alarmingly, the extension also manipulates the appearance of major email services including Gmail, Hotmail, and Yahoo Mail. This allows the malware to hide withdrawal notification emails from the victim, delaying discovery of the theft by hours or even days.

According to Kaspersky telemetry from Q1 2023, the countries most affected include Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico — regions with rapidly growing cryptocurrency adoption where Bitcoin traded around $27,200 at the time of the report.

The Mitigation Strategy

Addressing this threat requires a multi-layered defense approach. First, users should exclusively download software from official sources and verified publishers. The Satacom campaign specifically preys on users seeking cracked or free software, creating a dangerous intersection between software piracy and cryptocurrency theft.

Second, browser extensions should be regularly audited. Users should navigate to their browser extension settings and remove any unfamiliar or unnecessary extensions. Legitimate cryptocurrency wallet extensions like MetaMask should only be installed from official browser stores with verified publisher credentials.

Third, dedicated security software with behavioral detection capabilities is essential. Traditional signature-based antivirus solutions may miss process hollowing attacks, making heuristic and behavior-monitoring tools critical for identifying suspicious process manipulation in real time.

Lessons Learned

The Satacom campaign demonstrates the increasing sophistication of cryptocurrency-targeted malware. By storing C2 infrastructure data on the Bitcoin blockchain itself, the attackers have created a resilient communication channel that resists traditional takedown efforts. The abuse of legitimate advertising plugins to distribute malware through otherwise trustworthy websites shows that even cautious users can be caught off guard.

The targeting of email services to hide fraudulent transactions represents an evolution in social engineering tactics, combining technical exploitation with information suppression. This dual approach — stealing funds while hiding the evidence — maximizes the window of opportunity for attackers.

User Action Required

Cryptocurrency holders should immediately review their browser extensions, ensure their antivirus software is current with behavioral detection enabled, and consider using hardware wallets for storing significant amounts of Bitcoin. At current prices near $27,200 per BTC, even a single successful theft represents substantial financial loss. Users who have recently downloaded software from third-party sources should perform a full system scan and check their cryptocurrency transaction histories for any unauthorized transfers.

Disclaimer: This article is for informational purposes only and does not constitute financial or security advice. Always conduct your own research and consult with qualified security professionals.