Investigation Snapshot

Generated: 2026-03-07 23:50 +01:00

UUIDs

  • Original UUID: xxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  • Probe UUID A: b3928423-3198-494a-9630-6894921545ca
  • Probe UUID B: 1d4b0fa7-c150-4b55-bb3b-1ed4bb5a7632
  • Extension ID: gengfhhkjekmlejbhmmopegofnoifnjp

Main Deliverable

  • investigation/COMPLETE_SECURITY_REPORT_2026-03-07.md

Collected Evidence

  • Original UUID captures: investigation/orig_*.json|txt
  • Callback scripts: investigation/callback_scripts/*.js
  • Probe A (with uninstall-state evidence): investigation/probe-20260307-233702-b3928423
  • Probe B (active bot finish success evidence): investigation/probe-20260307-234815-1d4b0fa7
  • Remote fake-update templates: investigation/probe-20260307-233702-b3928423/ggl_templates
  • Timeline notes: investigation/EVIDENCE_TIMELINE.md

Key Findings

  1. background.js uses https://api.getextensionanalytics.top/extensions with setup/callback/uninstall/finish logic.
  2. Callback returns executable JS tasks that include history beaconing, updater injection, and form-value grabbing.
  3. Updater task pulls HTML templates from https://ggl.lat and renders modal/bar/full-page update UI.
  4. EXE update payload endpoint returned https://baysideceu.com/wp-content/uploads/googleupdate.exe during probes.
  5. /extensions/finish accepts task posts with active UUIDs and returns bot-uninstalled errors once UUID is marked uninstalled.