EXECUTIVE SUMMARY:
A large-scale malicious campaign has been identified involving a network of browser extensions distributed through the Chrome Web Store that collectively function as a coordinated data-exfiltration and session hijacking operation. These extensions are disguised as legitimate utilities, games, and productivity tools, enabling them to evade user suspicion while operating in the background. Once installed, they silently harvest sensitive user information such as browsing activity, authentication tokens, and account identifiers, while simultaneously maintaining normal-looking functionality to avoid detection. The campaign is notable for its scale and coordination, with all identified extensions routing stolen data to a shared command-and-control (C2) infrastructure, indicating a unified operational backend rather than isolated malicious actors.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A large-scale malicious campaign has been identified involving a network of browser extensions distributed through the Chrome Web Store that collectively function as a coordinated data-exfiltration and session hijacking operation. These extensions are disguised as legitimate utilities, games, and productivity tools, enabling them to evade user suspicion while operating in the background. Once installed, they silently harvest sensitive user information such as browsing activity, authentication tokens, and account identifiers, while simultaneously maintaining normal-looking functionality to avoid detection. The campaign is notable for its scale and coordination, with all identified extensions routing stolen data to a shared command-and-control (C2) infrastructure, indicating a unified operational backend rather than isolated malicious actors.[emaillocker id="1283"]
The campaign consists of multiple Chrome extensions linked through a common command-and-control (C2) infrastructure, indicating centralized orchestration rather than isolated malicious actors. Despite being published under different developer identities and categories, the extensions collectively perform a range of malicious activities including session token theft, OAuth-based Google account identity harvesting, and exfiltration of browser data. Several variants are capable of capturing active session cookies and authentication tokens, enabling attackers to hijack logged-in accounts without requiring credentials. Others maintain persistent browser backdoors that allow remote execution of actions, injection of scripts into visited webpages, and interception of web traffic. Additionally, some extensions transmit stolen Telegram Web session data at frequent intervals and utilize shared backend servers to synchronize stolen data, demonstrating a structured data exfiltration pipeline and coordinated control mechanism across all affected extensions.
It represents a significant browser-based threat that leverages trusted extension ecosystems to conduct stealthy data theft and session hijacking at scale. The abuse of legitimate extension functionality highlights the growing risk of supply-chain style attacks within browser ecosystems, where malicious code can blend seamlessly with expected behavior. The unified C2 infrastructure and multi-extension deployment strategy indicates a deliberate and structured operation aimed at large-scale user tracking and account compromise. Organizations and users relying on browser extensions should treat such threats as high-risk due to their ability to bypass traditional endpoint security controls and directly operate within trusted browser environments.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Persistence | T1176.001 | Software Extensions | Browser Extensions |
| Defense Evasion | T1027.001 | Obfuscated Files or Information | Binary Padding |
| Credential Access | T1539 | Steal Web Session Cookie | - |
| T1528 | Steal Application Access Token | - | |
| Collection | T1119 | Automated Collection | - |
| T1185 | Browser Session Hijacking | - | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details:
https://www.securityweek.com/100-chrome-extensions-steal-user-data-open-backdoor/
https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2
[/emaillocker]