After hacking their flaws, most attackers will not reach web browsers, however one team is taking things a move further. By altering Chrome and Firefox, Kaspersky has extensive attempts by a Russian company, Turla, to fingerprint TLS encrypted web traffic.
The group then infects remote access trojan systems and uses this to change the browsers, beginning with installing their own certificates (to intercept TLS traffic from the host) and then patching the collection of pseudo-random numbers which negotiates TLS links. This helps them to apply a fingerprint to any TLS operation and to record encrypted traffic passively.
It's not entirely clear why the intruders would have to do that. If you have a remote control trojan compromised a device, you don't have to patch the browser to spy on traffic.
ZDNet indicated that it might be a mistake to encourage intruders to spy on traffic for people removing the trojan, but they are not careful enough to reinstall their browsers.
The suspects seem to be more recognizable, and their motivations may be known. Turla is thought to be operating under the Russian government's protection, her original targets were in Russia and Belarus.
The gang was advanced enough in the past to have exploited Internet providers from Eastern Europe to threaten clean files otherwise. This could be an attempt to snoop activists and other political goals using a tool that is difficult to foil.