
Silent Swap clipper deploys via unsigned .NET/Golang installers, rewrites Chromium Secure Preferences to inject address-swapping extension
Silent Swap demonstrates layered persistence via direct browser configuration tampering and blockchain-based C2 updates, extending prior CountLoader activity into retail crypto theft. The approach exploits the irreversibility of blockchain transactions and weak local settings protections rather than novel zero-days. Expect continued iteration on EtherHiding and Preference patching across additional Chromium forks.
Procurement and incident patterns indicate this is low-cost, high-resilience tooling likely to proliferate to other verticals once templates leak. Next indicators will appear in public sinkhole telemetry or blockchain clustering of the fallback wallets within 60-90 days.
McAfee: At least three additional fallback wallets will appear on-chain with >$50k in inflows within 90 days of first public report.
Sources (3)
- [1]McAfee Labs Technical Report(https://www.mcafee.com/blogs/other-blogs/mcafee-labs/silent-swap-crypto-clipper/)
- [2]The Hacker News Coverage(https://thehackernews.com/2026/06/silent-swap-crypto-clipper-uses-fake.html)
- [3]CountLoader Overlap Analysis(https://www.bleepingcomputer.com/news/security/countloader-campaign-delivers-crypto-clippers/)