The primary objective was to develop a browser-based surveillance tool that could survive in high-security environments where traditional networking (direct C2) and file-system activity are heavily monitored. Key engineering hurdles included:

• Stealth Communication: Bypassing DNS firewalls and SNI filtering that typically flag suspicious C2 traffic.
• Durable Persistence: Maintaining execution in Manifest V3 (MV3) despite the strict service worker lifecycle and idle timeouts.
• Target Identification: Filtering "noise" from generic browsing to focus on high-value sessions (LinkedIn, AWS, GitHub, etc.) without slowing down the user's browser.
• Anti-Analysis: Protecting the core logic from automated sandboxes and opportunistic researchers using DevTools.

I engineered a modular surveillance platform that leverages browser-native features for offensive operations:

1. DoH C2 Architecture: Implemented a DNS-over-HTTPS C2 module that fetches encrypted Stage-2 configurations via TXT records from Cloudflare and Google DNS. This blends C2 traffic with legitimate HTTPS packets.
2. Persistence via Offscreen Documents: Utilized the Chrome Offscreen API to create a "heartbeat" document. This ensures the background process remains active for continuous surveillance and queued exfiltration, even when the extension UI is inactive.
3. Behavioral Profiling Engine: Developed a biometric tracker (script2.js) that monitors typing speed, error rates, and hourly activity. This allows the tool to build a "User Persona," helping operators identify the target's role and peak active hours.
4. Multi-Channel Exfiltration: Integrated a redundant exfiltration pipeline using Telegram Bot API, Discord Webhooks, and WebRTC for P2P data transfer, ensuring data delivery even if one channel is burned.

• Seamless Evasion: The extension successfully bypassed standard EDR/XDR signature sets during initial field tests.
• High-Fidelity Harvesting: Successfully implemented automated "Ghost Sync" modules that harvest Netscape-formatted cookie jars and OAuth tokens from high-value domains.
• Operational Scalability: The dynamic C2 configuration allows for rapid infrastructure rotation without requiring an extension update.
• Proof of Concept: Demonstrated the extreme susceptibility of MV3 architectures to sophisticated, "living-off-the-browser" offensive tooling.