EXECUTIVE SUMMARY:
A malicious Chrome extension campaign has been observed targeting Meta advertisers. Threat actors are leveraging a fake platform named “Madgicx Plus”, presented as an AI-driven ad optimization tool designed to boost advertising performance. The extension uses convincing branding and marketing language to lure digital marketers into installation. Once deployed, it is capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts. The campaign demonstrates the reuse of previously established infrastructure, with domains from earlier malicious operations repurposed to support this new campaign.
The campaign distributes malicious Chrome extensions via websites impersonating legitimate AI-powered advertising tools. These extensions request full access to all visited websites, allowing them to inject scripts, read DOM content, intercept network traffic, and manipulate sessions. Analysis revealed that the extension removes Origin headers from outbound requests, bypassing web security controls such as Cross-Origin Resource Sharing (CORS) protections, enabling unauthorized API access using stolen session tokens. Dynamic analysis confirmed the staged collection of sensitive data, first targeting Google accounts and then pivoting to Facebook accounts to expand access to valuable business resources. The underlying infrastructure, protected by Cloudflare, was mapped to the VDSina hosting provider, uncovering domain reuse and shared hosting with other malicious extensions, indicating operational continuity across campaign iterations.
This highlights and evolving Chrome extension campaign that abuses the Madgicx brand to target Meta advertisers. The campaign demonstrates both technical and infrastructure reuse, indicating continuity by the same threat actors rather than isolated copycats. Advertisers should remain vigilant against installing unverified extensions, monitor for unusual account activity, and implement security measures to prevent unauthorized access to advertising assets. The campaign’s persistence and adaptability suggest it remains active and may continue to evolve, posing ongoing risks to targeted businesses.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | – |
| Discovery | T1083 | File and Directory Discovery | – |
| T1057 | Process Discovery | – | |
| Lateral Movement | T1021.002 | Remote Services | SMB/Windows Admin Shares |
| Collection | T1113 | Screen Capture | – |
| T1074.001 | Data Staged | Local Data Staging | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
REFERENCES:
The following reports contain further technical details: