MITRE ATT&CK: Browser bookmark discovery

Greg Belding
October 8, 2019 by
Greg Belding


Someone’s browser bookmarks can tell a lot about that person. Bookmarks are a convenient way to dog-ear websites you want to view later and often involve personal interests. Depending on how much they are used, they can even give you a window to that person’s lifestyle. 

Attackers know this as well, and they often incorporate browser bookmarks into a source of relatively sensitive information in their plan of attack. What’s more, this discovery tactic affects Windows, macOS and Android mobile devices. 

This article will delve into browser bookmark discovery by exploring how it fits into the discovery portion of an attack, the problem with mitigation, real-life examples of browser bookmark discovery and detection.


MITRE is a not-for-profit corporation dedicated to solving problems for a safer world. Beginning as a systems engineering company in 1958, MITRE has added new technical and organization capabilities to its knowledge base — including cybersecurity.

To this end, MITRE released the MITRE ATT&CK list as a globally accessible knowledge base of adversary techniques and tactics based upon real-world observations. This information can then be used as the basis for the foundation of the development of threat models and methodologies for cybersecurity product/service community, the private sector and government use. More information on the MITRE ATT&CK matrix can be found here

How browser bookmarks fit into discovery

To understand how browser bookmarks fit into the big picture, you have to understand what the discovery phase is. 

Discovery is one of the MITRE ATT&CK tactics of an information security attack where the malicious attacker is trying to learn your environment. This tactic consists of techniques that will help the attacker gain knowledge about an organization’s systems and network. Think of it as the attacker is proverbially finding his feet before proceeding further with the objectives of the attack. 

Discovery also allows the attacker to find out what is controllable under the circumstances. For example, browser bookmarks allow the attacker to window-shop potentially sensitive information about the user of the compromised system, which may lead to even more information.

The problem with mitigation

One of the biggest problems with bookmark discovery is that it is difficult for even the most alert of advanced skilled administrators, let alone most security teams. The root of this problem stems from the fact that browser bookmark discovery is considered abuse of system features. Systems use features for specific reasons and each one installed has some form of a purpose. 

By using features of a system similar to how the system would use the feature, the attacker can effectively use the system against itself. It is not too dissimilar from when a judo practitioner uses his opponent’s own body weight against him. 

Real-world examples


This Trojan is interesting in that it targets macOS, which is relatively malware-free compared to other systems like Windows. To gain access to systems, Calisto masquerades as an Intego software installer. Once inside the target system, Calisto has a field day collecting the user’s information. The main source of this personal information is Google Chrome; Calisto extracts browser bookmarks, among a host of other sensitive information from the browser. 

Calisto made its first appearance on August 2nd, 2016 and has been kicking around the world wide web since then, stealing browser bookmarks from unsuspecting macOS users. It has been suggested that the Intego software containing this malware from a BitTorrent site: there have been no hacks of Intego, so you can bet that it was not attached to this legitimate software. 

Luckily, anti-malware solutions for macOS has been stopping Calisto in its tracks. If you use macOS, stay diligent and investigate whether your solution has accounted for this malware.


This Python-based post-exploitation agent and framework is another malware that has the ability to collect browser bookmarks from a compromised Windows or macOS system. The story with Empire follows in the tracks of many other such offensive tools that are built for legitimate purposes. 

After its initial appearance as a legitimate tool in 2015, malicious actors began using this tool for malicious purposes, including stealing browser bookmarks. After version 2.0 and its increased stability, Empire was increasingly used as a solution by malicious actors. 

Empire has been involved with some higher-profile attacks of late. One of these instances was during the Winter Olympics in South Korea: the APT group Hades took advantage of the functionality of Empire in their Olympic Destroyer attack campaign, performing many data-stealing operations, including thieving browser bookmarks.

Empire is no longer supported as of August of 2019, making it potentially a threat of the past.


This Trojan targets Android mobile devices and has been widely used by the China-based threat group Scarlet Mimic. The scariest thing about this threat is it was used extensively in a cyber-espionage campaign that took years before it was officially discovered. 

After the user has fallen for a spearphishing campaign, MobileOrder uploads sensitive data from Android devices, including browser bookmarks, to its creators. Once the infected email document is downloaded onto the target Android device, the Trojan is installed, which allows access to browser bookmarks.


Any suspicious activities discovered by an administrator should not be taken in isolation but rather as a whole, where they are correlated with other suspicious events. Administrators should monitor for command-line arguments and processes that suggest that browser bookmark information has been compromised. 

Keep in mind that browser bookmark discovery is likely to occur in the beginning stages of the attack, where the attack is still conducting discovery on the targeted environment. If you can catch this early on, it may help you stem the attack as a whole.


Discovery is a crucial part of an attack campaign, and browser bookmark discovery is a fertile field of sensitive information that attackers like to pick through. Browser bookmark discovery is simply one way that attackers can discover sensitive information and this tactic extends to Windows, macOS, and Android devices alike. 

By monitoring for command line arguments that you did not use (if you are an administrator) and strange process activities, you may be able to detect browser bookmark discovery and nip the attack in the bud.



  1. Browser Bookmark Discovery, MITRE ATT&CK
  2. OSX/Calisto Mac malware masquerades as Intego software, Intego Software
  3. Calisto Trojan for macOS, Secure List
  4. PowerShell Empire Framework Is No Longer Maintained, BleepingComputer
  5. Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists, Unit 42 Palo Alto Networks
Greg Belding
Greg Belding

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.