#Windows Defender C2 detection, Chrome/Brave/FireFox contacting malicous IP at cloudfare

We're facing multiple incident reports by Microsoft Defender with the following process:

"chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=de --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2000,i,11649817129998401053,18190743795037028513,262144 --variations-seed-version=20250313-050105.095000 --mojo-platform-channel-handle=2144 /prefetch:3

It's contacting the IP address 188.114.96.3 which belongs to cloudfare according to IPWHOIS.
Is anybody else expericieng this issue?

cloudflare is a reverse proxy and chrome is a browser so it could be absolutely anything and finding the domain would be a good next step, but no i havent seen talk of that.

right now we can not see the DNS record they're calling. We're still trying to figure out which service is getting contacted.
Strange thing is we have this from devices across all departments like finance, R&D, order management and production.
No plugins installed on either Chrome, Firefox or Brave that we can see.

yeah thats a proxy ip so theoretically any cloudflare proxied site could have been accessed through it depending on the host header / sni used, which i know isn't helpful to hear

users are reporting it happens when they try to open youtube.

could also be related to the multi-messenger https://meetfranz.com/de/

Ok, we found it.
DNS Record involved on all endpoints: sponsor.ajay.app/database

Looks like users have installed an extension called "Sponsorblock" or some uBlock origin derivate

yeah thatd do it

sounds like a false positive if its being detected as a C2 though

I agree, better false positive than incident 🙂