What You Should Know About The SHARPEXT Malware Getting Past Gmail 2FA

A threat actor believed to be associated with North Korea is said to be deploying a malicious browser extension dubbed 'SHARPEXT' to spy on Gmail and AOL users. North Korea has often come under the scanner of cyber-security firms and Western government agencies for aiding and abetting threat actors that specifically target American and Western interests. The U.S. government even has a name for the malicious cyber activity by the North Korean regime, calling it 'Hidden Cobra.' According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), North Korea employs malicious cyber activity to collect intelligence, conduct attacks, and generate revenue.


Cybercrime has been rising over the past few years, reaching its peak during the pandemic. Several different types of cybercrimes have seen an increase during this time, including phishing, ransomware, spyware, and crypto scams. Another popular method involves using fake software, including phony antivirus apps, to deliver malicious payloads. While most of the attacks come from organized cybercriminals, state-sponsored cyber threats from North Korea, China, and Russia are also increasing rapidly. According to an FBI report, last year was exceptionally bad for cybercrime victims, with people reportedly losing almost $7 billion to online attacks and scams.

Related: These Are The Best Chrome Extensions For Privacy

Researchers at cybersecurity firm Volexity have detailed a new activity from a threat actor called SharpTongue (also referred to as Kimsuky). According to them, the cybercrime group is using ingenious means to install a malicious browser extension on Chromium-based browsers like Google Chrome and Microsoft Edge. The extension cannot be detected by Gmail or AOL mail, nor can it be thwarted by established security protocols like two-factor authentication. According to the researchers, the initial instances of the SHARPEXT malware were spotted as far back as Sept. 2021. However, unlike other malware deployed by SharpTougue, the new extension does not try to steal usernames and passwords. Instead, it "directly inspects and exfiltrates data from a victim's webmail account as they browse it."

The Malware Currently Only Affects Windows Users

Green colored hacker with digital art

In an email to Ars Technica, Volexity President Steven Adair said that the extension is installed through "spear phishing and social engineering where the victim is fooled into opening a malicious document." The malware currently works only on Windows, but Adair believes that with a few changes, it can also be made to work on other platforms like macOS and Linux, meaning the threat could even spread to Chrome users on Mac or Linux.

Armed with the new malware, SharpToungue is said to be targeting individuals and organizations in the U.S., Europe, and South Korea. Most of the victims are said to be entities that are working on strategic geo-political issues involving North Korea, including nuclear armament and weapons systems. According to Volexity, SHARPEXT has become much more mature over the past year and the threat it poses is only likely to increase over time.