Evidence Timeline

Environment

  • Date: 2026-03-07
  • Extension ID: gengfhhkjekmlejbhmmopegofnoifnjp
  • Original UUID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • New UUID: 2d258980-44f2-4783-99f7-e935006b4c61

User-Observed Results (provided)

  1. GET /extensions/setup for new UUID returned 200 {“success”:true}.
  2. GET /extensions/callback for new UUID returned array of executable scripts.
  3. Returned scripts included:
    • superior-history (posts to /extensions/finish?…task_id=64058)
    • superior-updater (remote UI/content + task id 64059)
    • superior-grabber (form value exfiltration + task id 64060)
  4. For original UUID:
    • GET /extensions/callback -> 400 Bot is uninstalled
    • GET /extensions/exe/get-update-data -> 200 with payload https://baysideceu.com/wp-content/uploads/googleupdate.exe
    • GET /extensions/exe/modal/can-show -> 400 BOT_UNINSTALLED
    • GET /extensions/exe/bar/can-show -> 400 BOT_UNINSTALLED

Reproduced Collection (saved locally)

Notable Script Evidence

  • Updater script constants:
  • CONTENT_URL = ‘https://ggl.lat’
  • TASK_ID = ‘64059’
  • Endpoint templates include:
  • /exe//can-show?...
  • /exe/get-update-data?...
  • /exe//show-later?...
  • /finish?uuid=&task_id=&platform=...

Reference: 2-superior-updater.js

Additional Live Probes (2026-03-07)

Probe A: b3928423-3198-494a-9630-6894921545ca

Folder: probe-20260307-233702-b3928423/

  • Verified endpoints: setup, callback, exe/get-update-data, exe/modal-can-show, exe/bar-can-show, modal/bar show-later.
  • Captured remote fake-update templates from ggl.lat in ggl_templates.
  • After uninstall-state transition, finish calls returned BOT_UNINSTALLED (400).

Probe B: 1d4b0fa7-c150-4b55-bb3b-1ed4bb5a7632

Folder: probe-20260307-234815-1d4b0fa7/

  • Callback task IDs observed/verified: 64067, 64068, 64069.
  • finish endpoint returned 200 {"success":true} for all three task IDs while active.

Final Consolidated Report