Copycat - Identity Stealer Extension

Presented at DEF CON 33 (2025), Aug. 9, 2025, 11 a.m. (45 minutes).

Copycat is a browser extension-based red team toolkit for simulating web-based identity attacks. This tool simulates ten web-based identity attacks through a single browser extension with minimal permissions, operating primarily through hidden windows that execute attacks without user awareness. With Copycat, red teams can simulate complex attack scenarios including silent Gmail and LinkedIn hijacking, credential theft through login and OTP stealing, login page redirection, autofill extraction from enterprise applications, and multiple OAuth manipulation techniques. Copycat runs entirely in-browser with no special hardware requirements. Red teams can use Copycat to demonstrate attack vectors that bypass EDRs, SASE, and other traditional security controls, as these techniques operate within legitimate authenticated sessions rather than breaking them. The tool is fully modifiable, with each module designed for customization to target different services or authentication flows. Source code and documentation will be available for security researchers to extend and improve the framework. Special mention to Pankaj Sharma, Tejeswara S. Reddy, and Arpit Gupta for their contributions in building this toolkit!

Presenters:

• Shourya Pratap Singh
  Shourya Pratap Singh is responsible for building SquareX's security-focused extension and conducts research on countering web security risks. As a rising figure in cybersecurity, Shourya has presented his work on global stages including the DEFCON main stage, Recon Village, and Adversary Village, as well as at Black Hat Arsenal EU. He has also delivered several workshops at prestigious events such as the Texas Cyber Summit. Shourya earned his bachelor's degree from IIIT Bhubaneswar and holds a patent. His professional interests focus on strengthening the security of browser extensions and web applications.
• Dakshitaa Babu
  Dakshitaa is a security researcher and product evangelist at SquareX, where she leads the security research team. A self-taught cybersecurity researcher mentored by offensive security veteran Vivek Ramachandran, she specializes in web attacks — malicious websites, files, scripts, and extensions capable of bypassing traditional security solutions. Her research directly fuels SquareX's product innovation, ensuring it stays ahead of evolving threats. As a product evangelist, she is the principal author of SquareX's technical collateral. She has contributed to bleeding-edge browser security research presented at BSides SF Adversary Village, Recon Village, and the DEF CON main stage. Her work on email security bypasses, breaking secure web gateways, MV3 extension vulnerabilities, browser syncjacking, polymorphic extensions, and browser-native ransomware has been covered by leading media outlets, including Forbes, TechRadar, Mashable, The Register, Bleeping Computer, and CyberNews.

Similar Presentations:

• ToorCon: Seattle 2008 / Identity-based ElGamal
• DEF CON 33 (2025) / DVBE - Damn Vulnerable Browser Extension Demo