The Riskiest APTs For Browsers

by Talon Research
May 26th, 2022

You already know that advanced persistent threats (APTs) target specific sectors. But do they target particular software products? Are there APTs whose expertise is in exploiting browsers? 

To detect such APTs, you should first know the techniques that use the browser as an attack vector. Here are a few included in the MITRE ATT&CK framework: 

  • Browser bookmark discovery 
  • Credentials from web browsers 
  • Browser session hijacking (man in the browser) 
  • Browser extensions 

Herein we briefly explain each technique and flesh out which is the more commonly used by APTs.  

Browser bookmark discovery 

Adversaries can enumerate browser bookmarks to learn more about compromised hosts. They can reveal users’ personal information (e.g., banking sites, individual interests, social media) and details about internal network resources such as servers, tools/dashboards, or related infrastructure. APTs spotted by MITRE using this technique include: 

  • APT38 (North Korean) 
  • Calisto (Russian) 
  • Scarlet Mimic (Chinese) 

Credentials from web browser

Adversaries can acquire credentials by reading files specific to the targeted browser. Browsers commonly save credentials such as usernames and passwords so users don’t need to repeatedly reenter them. Credentials are typically stored in encrypted formats, but methods exist to extract plaintext credentials. Here you can find groups such as: 

  • APT3 (China-based threat group) 
  • APT29 (attributed to Russia’s Foreign Intelligence Service) 
  • APT33 (suspected Iranian threat group) 
  • APT37 (North Korean group) 

Browser session hijacking (man-in-the-browser) 

Adversaries might take advantage of security vulnerabilities and inherent browser functionality to change content, modify user behavior, and intercept information as part of a session hijacking technique. Examples include: 

  • Wizard Spider (Russia-based) using TrickBot 
  • APT39 (Iranian Ministry of Intelligence) 
  • APT41 (Chinese state-sponsored espionage group) 

Browser extensions

Extensions (or plugins) are small programs that add browser functionality or customize various aspects. Installed directly or via a browser’s app store, they generally have access and permissions to everything the browser can access. Bad actors are able to abuse them to establish persistent access to victimized systems. Examples include: 

  • Kimsuky (North Korean APT) 
  • BlueNoroff (North Korean APT) 

The riskiest APTs for Browsers 

FireEye reports that North Korean group definitions have significant overlap, thus some security researchers lump all state-sponsored North Korean cyber activity under the Lazarus Group name. It has been active since at least 2009. 

In 2022 alone, Lazarus was tracked as having exploited two of three zero days in Google Chrome. 

  • For more than a month before a fix was available, it exploited its first zero-day—a remote code execution vulnerability (CVE-2022-0609).  
  • CVE-2022-1096 was the second Chrome zero day it exploited.  
  • Threat actors actively used the third Chrome zero day vulnerability (CVE-2022-1364), though it remains unknown if it’s also attributable to Lazarus. 

In a 2021 incident, South Korean cybersecurity firm ENKI reported that Lazarus targeted its security researchers using Internet Explorer vulnerabilities, one being a zero day. 

In Dream Job—one of its most famous operations—Lazarus used ChromePass, a NirSoft tool that enables credential extraction from Chrome. 

APT37 is a North Korean subgroup active since at least 2012, targeting primarily South Korean victims. Some of its operations take advantage of web browsers, including ZUMKONG credential stealing malware. After harvesting usernames and passwords stored in Internet Explorer and Chrome browsers, they’re emailed to the attacker via HTTP POST requests to mail[.]zmail[.]ru. 

APT3 (aka UPS Team) is another worth mentioning, it being Chinese. Mandiant states that APT3 is one of the more sophisticated threat groups, which uses browser-based (e.g., Internet Explorer, Firefox) exploits as zero-days. 


Talon Cyber Security research found that many APTs are leveraging browsers to conduct their cyberattacks. Out of the studied groups, the most prominent are North Korean ones, alongside some Chinese and Iranian groups.  

Remember that browser exploitation is only one part of an attack, and sometimes only the first step. Afterward, an attacker might quickly dump credentials, move laterally to additional hosts, or install custom backdoors. 


The web browser is the most vulnerable application being used daily. Hence, it’s critical to keep it safe from APTs who are experts in exploiting zero days or known CVE. In addition, browsers are targeted in different phases of the attack chain, allowing attackers to elevate privileges and collect more information on targets. 

The Talon Enterprise Browser protects enterprises from all the aforementioned attack techniques, whether they’re executed by known APTs or performed by insiders, while delivering the same browsing experience as other Chromium-based browsers, such as Chrome and Edge. 

Meet Talon at Gartner Security and Risk Management Summit 2023 in London