Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Stanley

Stanley is a malware-as-a-service (MaaS) / crimeware toolkit sold on Russian-language cybercrime forums (seller alias reported as “Стэнли”) for approximately $2,000–$6,000. It is used to generate malicious Google Chrome browser extensions and is described as a turnkey website-spoofing/credential-theft operation delivered via an apparently benign extension.

Delivery/masquerade: Stanley is packaged as a note-taking and bookmarking Chrome extension called “Notely,” which provides some legitimate functionality to encourage installation and broad permission grants. A premium tier is advertised as offering “guaranteed” Chrome Web Store publication / passing review checks.

Core capabilities and behavior:

  • Navigation interception/hijacking when victims visit targeted real websites or SaaS applications (examples mentioned include banking/cryptocurrency sites; coinbase.com is cited).
  • Full-screen phishing via HTML iframe overlay rendered on top of legitimate sites while the browser address bar continues to display the legitimate domain, undermining URL-verification defenses.
  • Credential capture from the spoofed overlay and exfiltration to a remote server.
  • Command-and-control (C2) panel for operators to manage victims, configure spoofed redirects, and send fake browser notifications.
  • Use of legitimate Chrome notifications to lure clicks.
  • Victim tracking using IP address as an identifier.
  • Frequent beaconing/C2 polling (reported as every ~10 seconds) and use of fallback addresses/infrastructure for resilience.
  • Techniques noted in reporting include iframe overlay, header stripping, and C2 polling; implementation described as functional with “rough edges” rather than novel.

Attribution/associations: Reported by Varonis (researcher Daniel Kelley) as being sold on Russian cybercrime forums; no specific nation-state attribution is stated.

Timeline notes: Varonis reported Stanley to Google on January 21, 2026; reporting states the main server was taken offline shortly after, though the malicious extension reportedly remained active longer. Another report notes the service appeared to have vanished by January 27, 2025, likely due to public disclosure.

Indicators of compromise: No specific Stanley/Notely extension ID, hashes, or C2 domains are provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Jan 30, 2026
Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

A MaaS toolkit used to generate malicious Chrome extensions that overlay full-screen iframe phishing pages on targeted sites (e.g., banks) while preserving the legitimate URL in the address bar; includes a C2 management panel for victim management, redirect/spoof configuration, and fake browser notification delivery, with a premium tier claiming Chrome Web Store publication bypass/approval.

Read more
scworldNews
Jan 27, 2026
Stanley malware bypasses Chrome Web Store checks, steals credentials | SC Media

Stanley is a crimeware toolkit delivered as (or used to create) a malicious Chrome extension that masquerades as a note-taking app (“Notely”). It overlays fake login prompts on top of legitimate sites while preserving the correct domain in the URL bar, enabling credential theft. It also abuses legitimate Chrome notifications to lure clicks, tracks victims by IP, and reportedly beacons to attacker infrastructure every ~10 seconds. Higher-tier offerings claim the ability to pass Chrome Web Store checks, increasing stealth and reach.

Read more
dark readingNews
Jan 27, 2026
'Stanley' Toolkit Turns Chrome Into Undetectable Phishing Vector

A malware-as-a-service toolkit used to build malicious Google Chrome extensions that hijack navigation to targeted sites (e.g., banking/crypto), render attacker-controlled phishing pages via full-screen iframe overlays while keeping the legitimate URL visible, and exfiltrate captured credentials to attacker infrastructure via a C2-managed extension.

Read more
hackreadNews
Jan 26, 2026
$6,000 “Stanley” Toolkit Sold on Russian Forums Fakes Secure URLs in Chrome - Hackread - Cybersecurity News, Data Breaches, AI, and More

A crimeware toolkit sold on Russian-language cybercrime forums that enables attackers to publish a malicious Chrome extension (disguised as “Notely”) which overlays fake login pages on top of real sites while the browser URL bar still shows the legitimate domain, harvests credentials, uses Chrome notifications for lures, tracks victims by IP, polls C2 every ~10 seconds for commands, and cycles through fallback addresses for resilience.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.