What to look out for today
Two themes to keep on your radar today:
- Remote access malware sold as a service (QuimaRAT): designed to run across Windows, macOS and Linux, making mixed-device workplaces a viable target.
- Browser add-on/mod abuse leading to data theft: a reported Opera GX issue allowed silent mod installation in certain conditions (now patched), reinforcing the broader risk of unapproved extensions and “helpful” add-ons.
Why this matters to smaller businesses
- Remote access tools are a common first step in invoice fraud, payroll diversion, data theft and ransomware-style disruption.
- Cross-platform capability increases the chance of impact if you have a mix of laptops (Windows/macOS) and servers or specialist devices (often Linux-based).
- Browser add-ons can see what staff see (webmail, finance portals, CRM, HR systems). If an attacker can get an add-on installed, they may be able to capture or infer sensitive information.
Warning signs
- Staff report unexpected prompts to install browser “mods”, “extensions”, “security tools”, “PDF tools” or “AI helpers”.
- New or unfamiliar browser toolbars, changed homepage/search, or settings that keep reverting.
- Unexplained remote sessions, new admin accounts, or repeated sign-in notifications from services (email, Microsoft 365/Google, accounting, payroll).
- Devices suddenly running hot/slow, or security tools being disabled without a clear support ticket.
How attackers may exploit the situation
- Commodity “MaaS” malware lowers the bar for criminals to buy remote access capabilities and target smaller firms at scale.
- Extension/mod routes can be used to lift data from pages staff visit (e.g., webmail, client portals), then pivot into account takeover or targeted payment scams.
- Once remote access is gained, attackers often move quickly to email rules, invoice tampering, and harvesting contacts for convincing follow-on phishing.
What to do today
- Reinforce a simple rule to staff: don’t install browser extensions/mods or “helper” tools for work unless IT has approved them.
- Check your browser policy: ensure only approved extensions are allowed on business profiles where possible.
- Review admin access: confirm who has local admin rights on laptops and whether it’s genuinely needed.
- Make sure MFA is on for email, finance, payroll and admin portals, and that recovery options are controlled (no personal emails/phone numbers).
- Quick log review: ask IT/MSP to check for unusual remote access activity and new persistence (new startup items, new management tools) across endpoints.
Ask your IT provider
- Do we have an allow-list approach for browser extensions, or at least monitoring and reporting of new installations?
- How are you detecting and responding to remote access trojans across Windows, macOS and Linux (not just one platform)?
- Can you show us a weekly report of new software/extensions installed and any high-risk detections?
- What’s our process if a user reports an unexpected “install this mod/extension” prompt—who triages and how fast?
Patch watch - only one short paragraph, and only if relevant
If you have staff using Opera GX, confirm it is updated to the latest version, and consider tightening controls on installing mods/extensions on business devices. Even when a specific flaw is patched, extension/mod abuse remains a common route into accounts and data.
One action today
Message staff today: only install browser extensions/mods that IT has approved, and report any ‘install this add-on/mod’ prompts immediately.
Related Actions On Cyber resource
Actions On Cyber checklist: “Prevent invoice and payment diversion (BEC) – controls and approval steps”
Sources
- New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS (The Hacker News)
- Opera GX Flaw Let Malicious Sites Auto-Install Mods to Steal Data From Visited Pages (The Hacker News)
This brief is for general awareness and does not replace advice from your IT provider, legal adviser, insurer or incident response specialist.