A large-scale campaign involving 108 malicious Chrome extensions has been uncovered, affecting roughly 20,000 users.
The extensions, spread across categories such as gaming, social media tools and translation utilities, appear legitimate but secretly collect sensitive data. All are linked to a single command-and-control (C2) infrastructure to enable operators to aggregate stolen information in one place.
The campaign, identified by security researchers at Socket, stands out for its breadth and coordination. Although published under five separate developer identities, the team found consistent backend systems and shared operational patterns across all extensions.
Several Attack Techniques
The research highlighted several distinct attack techniques deployed simultaneously. Among the most serious is a Telegram-focused extension that captures active web sessions every 15 seconds, allowing full account access without passwords or multi-factor authentication (MFA).
Other extensions harvest Google account details using OAuth2 permissions, inject ads by bypassing browser security protections or open arbitrary web pages through hidden backdoors. Many operate continuously in the background, even if users never actively interact with them.
Key behaviors identified include:
-
54 extensions collecting Google profile data
-
45 extensions containing a persistent backdoor triggered at browser start-up
-
Multiple tools injecting scripts or ads into popular platforms like YouTube and TikTok
-
One extension acting as a translation proxy through attacker-controlled servers
Dual Behavior Complicates Detection
According to Socket, the extensions often deliver on their advertised functionality, such as games or messaging tools, while masking malicious activity running in the background. This dual behavior makes detection difficult for users.
Read more on browser extension security risks: Experts Sound Alarm Over “Prompt Poaching” Browser Extensions
The infrastructure also supports a Malware-as-a-Service (MaaS) model, where stolen data and active sessions can be accessed by third parties. Researchers linked the entire operation to a single operator through shared cloud resources, reused code and overlapping account identifiers.
All 108 extensions were still available at the time of discovery. The appropriate security teams have been notified, and takedown requests have been submitted.
Infosecurity contacted Google for comment, but has not yet received a response.
Image credit: Mijansk786 / Shutterstock.com
