A sophisticated campaign involving more than 100 malicious Chrome browser extensions has been discovered targeting users worldwide since February 2024.

These malicious extensions employ a deceptive dual-functionality approach, appearing to work as advertised while secretly connecting to attacker-controlled servers to steal sensitive data and execute arbitrary code on victims’ browsers.

The threat actor behind this campaign has created an extensive network of fake websites masquerading as legitimate services, including productivity tools, AI assistants, VPN clients, cryptocurrency platforms, and banking services.

These deceptive sites direct unsuspecting users to install corresponding malicious extensions from Google’s official Chrome Web Store, exploiting the inherent trust users place in the platform’s security measures.

Domain Tools researchers identified that these extensions request excessive permissions during installation, granting them broad access to users’ browsing activities across all websites.

The researchers noted the sophisticated architecture allows attackers to exfiltrate login credentials, hijack active sessions, inject malicious advertisements, manipulate network traffic, and perform targeted phishing attacks through DOM manipulation.

Once installed, these extensions establish communication channels with a network of attacker-controlled domains using elaborate authentication mechanisms.

The extensions periodically send user data and receive commands for execution, creating a persistent backdoor into victims’ browsers.

The potential impact is severe, as compromised browsers can lead to account takeovers, financial theft, and privacy breaches across multiple platforms and services.

Despite Google’s security measures, the actor has demonstrated remarkable persistence, with many extensions remaining available for extended periods before detection and removal.

The campaign specifically exploits trending technologies to increase installation rates, including recently creating fake websites impersonating DeepSeek AI following its media attention.

Extension Architecture and Command Infrastructure

The malicious extensions share distinctive technical characteristics in their implementation.

They typically contain a core malicious script (usually named “background.js” or “background.iife.js”) that establishes the connection to command and control servers.

As shown in the following manifest.json excerpt from one such extension, the permissions requested are extraordinarily broad:-

"manifest_version": 3,
"name": "Crypto Whales Vision | Alert of Major Crypto Transactions",
"version": "3.0.1",
"description": "A system for tracking and analyzing large transactions on the Blockchain",
"host_permissions": [
    ""
],
"permissions": [
    "storage",
    "management",
    "declarativeNetRequest"
],
"background": {
    "service_worker": "background.js"
},

The technical sophistication extends to the authentication mechanism used to communicate with attacker infrastructure. The extensions create JWT tokens using HMAC with SHA-256 signing algorithm, combining a UUID, the extension ID, version, and country code.

Notably, the extension’s own ID serves as the secret key for signing the JWT payload, which is then Base64 encoded before transmission to command servers.

This clever technique enables secure authentication between the extension and attacker infrastructure.

After successful authentication, the extensions implement a monitoring system that regularly sends “ping” messages and detailed reports about user browsing activity to command servers.

The most dangerous capability observed is the remote code execution feature, where extensions receive arbitrary JavaScript from command servers and execute it within the context of any webpage the user visits.

Some extensions were observed implementing additional malicious capabilities, including cookie theft using “chrome.cookies.getAll({})” to extract authentication data from all websites, and establishing WebSocket connections to domains like “api.zorpleflux[.]top” for real-time command reception.

These extensions can also implement reverse proxy functionality, allowing attackers to route their traffic through victims’ browsers and potentially implicate innocent users in malicious activities.

Users are strongly advised to regularly audit their installed extensions, review requested permissions carefully, and immediately remove any suspicious extensions.

While Google continues to remove identified malicious extensions from the Chrome Web Store, the evolving nature of this campaign requires continued vigilance from all browser users.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free