Windows Defender C2 detection, Chrome/Brave/FireFox contacting malicous IP at cloudfare
We're facing multiple incident reports by Microsoft Defender with the following process:
"chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2000,i,11649817129998401053,18190743795037028513,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2144 /prefetch:3
It's contacting the IP address 188.114.96.3 which belongs to cloudfare according to IPWHOIS.
Is anybody else expericieng this issue?
9 Replies
cloudflare is a reverse proxy and chrome is a browser so it could be absolutely anything and finding the domain would be a good next step, but no i havent seen talk of that.
right now we can not see the DNS record they're calling. We're still trying to figure out which service is getting contacted.
Strange thing is we have this from devices across all departments like finance, R&D, order management and production.
No plugins installed on either Chrome, Firefox or Brave that we can see.
yeah thats a proxy ip so theoretically any cloudflare proxied site could have been accessed through it depending on the host header / sni used, which i know isn't helpful to hear
users are reporting it happens when they try to open youtube.
could also be related to the multi-messenger https://meetfranz.com/de/
Franz – Deine kostenlose Messaging App für Slack, Facebook Messenge...
Franz ist der ehemalige Kaiser von Österreich - aber auch eine Messaging App aus Wien, die Chats und andere Messenger Services in einem einzigen Programm vereint.
Ok, we found it.
DNS Record involved on all endpoints: sponsor.ajay.app/database
Looks like users have installed an extension called "Sponsorblock" or some uBlock origin derivate
yeah thatd do it
sounds like a false positive if its being detected as a C2 though
I agree, better false positive than incident 🙂
agreed