Technical Analysis & Remediation
MITRE ATT&CK Mapping
T1189
(Drive-by Compromise - modified to Web Store Delivery)
T1566.002
(Phishing: Spearphishing Link)
T1036
(Masquerading: Homoglyph usage in naming "lmΤoken")
T1556.004
(Modify Authentication Process: Credential Harvesting)
CVE Profile
N/A [No CVE / Phishing Vector]
[CISA KEV Status: Inactive]
Telemetry
Extension ID
bbhaganppipihlhjgaaeeeefbaoihcgi
Network (Config Fetch)
hxxps://jsonkeeper[.]com/b/KUWNE
Network (Phishing Landing)
hxxps://chroomewedbstorre-detail-extension[.]com
Publisher Identifier
liomassi19855@gmail[.]com
Constraint
The exact JavaScript syntax of the extension is undefined in the source telemetry. The structure suggests a simple background script utilizing the chrome.tabs.create API upon the installation event trigger.
Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)
GOVERN (GV) – Crisis Management & Oversight
Command
Establish or enforce policy restricting unauthorized browser extensions across corporate environments.
DETECT (DE) – Monitoring & Analysis
Command
Query EDR and DNS logs for connections to jsonkeeper[.]com/b/KUWNE and chroomewedbstorre-detail-extension[.]com.
Command
Audit installed Chrome extensions across the fleet via Google Workspace/MDM for the presence of ID bbhaganppipihlhjgaaeeeefbaoihcgi.
RESPOND (RS) – Mitigation & Containment
Command
Force-remove the extension via Chrome Enterprise management policies.
Command
Block the identified C2 and phishing domains at the Secure Web Gateway (SWG) and DNS sinkhole levels.
RECOVER (RC) – Restoration & Trust
Command
If enterprise crypto-assets were exposed, execute immediate fund transfer to secure, cold-storage wallets.
IDENTIFY & PROTECT (ID/PR) – The Feedback Loop
Command
Transition corporate browsers to an "Extension Allowlist" model (block-by-default) to prevent user-driven installation of unvetted Web Store artifacts.
Remediation - THE HOME USER TRACK (Safety Focus)
Priority 1: Safety
Command
Do not enter your seed phrase or private keys into this extension or the webpage it opens. The official imToken service does not have a Chrome extension.
Command
Remove the extension immediately. Navigate to chrome://extensions in your browser, locate "lmΤoken Chromophore", and click "Remove."
Priority 2: Identity
Command
If you have already provided your 12/24-word seed phrase, your wallet is entirely compromised. Immediately transfer all remaining funds to a newly generated wallet using a known clean device (e.g., the official mobile app on a smartphone).
Priority 3: Persistence
Command
Review all installed browser extensions for unrecognized tools. This specific threat does not exhibit OS-level persistence mechanisms based on current telemetry.
Hardening & References
Baseline
CIS Google Chrome Benchmark v3.0
(Enable ExtensionInstallBlocklist with value *).
Framework
NIST CSF 2.0 / SP 800-61r3.
Vendor Advisory
imToken operates only as a mobile application. Validating software availability directly through the vendor's primary domain mitigates homoglyph-based supply chain attacks.
Source
Socket.dev Blog
socket.dev
