A sophisticated cyberattack campaign has been identified, involving over 100 malicious Chrome browser extensions that have compromised user security since February 2024. These extensions, while appearing legitimate, secretly connect to attacker-controlled servers to exfiltrate sensitive data and execute arbitrary code on victims’ browsers.
Deceptive Distribution Tactics
The threat actors behind this campaign have established an extensive network of counterfeit websites that mimic legitimate services, including productivity tools, AI assistants, VPN clients, cryptocurrency platforms, and banking services. Unsuspecting users are directed to install these malicious extensions from the official Chrome Web Store, exploiting the trust users place in the platform’s security measures.
Excessive Permissions and Data Exfiltration
Upon installation, these extensions request broad permissions, granting them extensive access to users’ browsing activities across all websites. This access enables attackers to exfiltrate login credentials, hijack active sessions, inject malicious advertisements, manipulate network traffic, and perform targeted phishing attacks through Document Object Model (DOM) manipulation.
Persistent Backdoor Mechanisms
Once installed, the extensions establish communication channels with a network of attacker-controlled domains using sophisticated authentication mechanisms. They periodically send user data and receive commands for execution, creating a persistent backdoor into victims’ browsers. This persistent access can lead to account takeovers, financial theft, and privacy breaches across multiple platforms and services.
Exploitation of Trending Technologies
The campaign exploits trending technologies to increase installation rates. For instance, attackers have created fake websites impersonating DeepSeek AI following its media attention, luring users into installing malicious extensions.
Technical Characteristics and Command Infrastructure
The malicious extensions share distinctive technical characteristics in their implementation. They typically contain a core malicious script (often named background.js or background.iife.js) that establishes the connection to command and control servers. The permissions requested are extraordinarily broad, allowing extensive access to user data and browser functionalities.
Sophisticated Authentication Mechanisms
The extensions employ advanced authentication mechanisms to communicate with attacker infrastructure. They create JSON Web Tokens (JWT) using HMAC with the SHA-256 signing algorithm, combining a UUID, the extension ID, version, and country code. Notably, the extension’s own ID serves as the secret key for signing the JWT payload, which is then Base64 encoded before transmission.
Broader Implications and Previous Incidents
This campaign is part of a broader trend of malicious Chrome extensions compromising user security. In April 2025, researchers discovered 57 Chrome extensions with over 6 million installations that monitored browsing behavior, accessed cookies, and potentially executed remote scripts. These extensions were ‘hidden,’ not appearing in Chrome Web Store searches or search engine indexes, and could only be installed via direct URLs. This tactic allowed threat actors to evade detection while aggressively promoting the extensions through ads and malicious sites.
In June 2024, a study revealed that over 280 million Google Chrome users had installed extensions containing malware over a three-year period. The study highlighted the concerning prevalence of security-noteworthy browser extensions and emphasized the need for users to review new extensions before installation, uninstall unused extensions, limit site permissions, and enable Chrome’s Enhanced Protection mode.
Recommendations for Users
To protect against such threats, users are advised to:
– Review Extensions Before Installation: Carefully read information about the extension and its developer before installing.
– Uninstall Unused Extensions: Regularly review and remove extensions that are no longer in use.
– Limit Site Permissions: Restrict the sites an extension has permission to access.
– Enable Enhanced Protection Mode: Activate Chrome’s Safe Browsing Enhanced Protection mode to receive additional protections against phishing and malware.
By adopting these practices, users can significantly reduce the risk of falling victim to malicious extensions and enhance their overall online security.
