Cybersecurity firm Kaspersky Lab has identified a new cryptocurrency malware that could be potentially more dangerous than others previously found. The malware, dubbed Razy due to a file named trojan.win32.razy.gen, can spoof search results and attack browser extensions. As opposed to other crypto malware, it is able to adapt itself based on the Internet browser used by the victim. Kaspersky researchers Victoria Vlasova and Vyacheslav Bogdanov wrote in a blog post, \u201cRazy serves several purposes, mostly related to the theft of cryptocurrency.\u201d It can search for addresses of crypto wallets on websites and replace them with other addresses, spoof images of QR codes that point to wallets, modify web pages of crypto exchanges and spoof Google and Yandex search results. Specific to browser use, Razy installs an extension on Firefox, Firefox Protection, that can alter files in two folders, APPDATA and PROGRAMFILES. In Chrome and Yandex, Razy disables the \u201cbrowser extension integrity check\u201d and proceeds to create registry keys that disable browser updates. Subsequently, the Chrome application can become infected with a variety of extensions, most of which target Chrome Media Router, and the Yandex browser becomes infected with the \u201cYandex Protect\u201d malware. The researchers further explain, \u201cIrrespective of the targeted browser type, Razy added the following scripts it brought along to the folder containing the malicious script: bgs.js, extab.js, firebase-app.js, firebase-messaging.js and firebase-messaging-sw.js... The file manifest.json was created in the same folder or was overwritten to ensure these scripts get called.\u201d The \u201dfirebase\u201d files are legitimate files that belong to the Firebase platform, but are manipulated to send statistics to the malware provider\u2019s Firebase account. Ultimately, unwitting netizens with an infected computer could visit a webpage, such as Binance.com or pro.coinbase.com and be presented with crypto wallet addresses that aren\u2019t legitimately owned by those entities. Instead, they belong to the provider of the malware. The blog post indicates, however, that the obfuscation works on virtually all web pages, except for those hosted by Google or Yandex. Even Wikipedia pages are at risk. According to the researchers, \u201cWhen the user visits Wikipedia, main.js adds a banner containing a request for donations to support the online encyclopedia. The cybercriminals\u2019 wallet addresses are used in place of bank details. The original Wikipedia banner asking for donations (if present) is deleted.\u201d Kaspersky was able to identify the wallet addresses associated with the malware and determined that, as of its publication on the subject, 0.14 Bitcoin Core (BTC) and 25 Ether (ETH) had been pilfered. That amounts to around $471 BTC and $2,545 ETH at current market prices.