RedExt
RedExt is an open-source browser extension command-and-control (C2) framework. In the provided reporting, it is associated with Russian-speaking threat actors behind the GlassWorm software supply chain campaign targeting the Visual Studio Code ecosystem. Researchers assessed that these actors used RedExt as part of their infrastructure and specifically described them as leveraging the RedExt open-source browser extension C2 framework. The broader campaign involved malicious VS Code extensions used to steal credentials and cryptocurrency, compromise additional extensions using stolen credentials, and maintain resilient operations via blockchain-based infrastructure; however, those capabilities are attributed in the content to GlassWorm and the associated intrusion set, not directly to RedExt itself. No standalone infection vector, targeted industries, or specific indicators of compromise unique to RedExt are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RedExt is an open-source browser extension command-and-control (C2) framework used by threat actors to manage infected machines and coordinate malicious activity.
RedExt is an open-source command-and-control browser extension framework used by threat actors to control compromised systems, as seen in the GlassWorm malware campaign.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.