Image: Generated via Google Nano Banana
Researchers linked 108 malicious Chrome extensions to a coordinated campaign that exposed about 20,000 users to data theft, backdoors, and ad injection.
About 20,000 people have had their data stolen by a single hacking group that weaponized 108 Chrome Extensions in a numbers game.
Discovered by Socket, a security research organization, these Chrome extensions masqueraded as everyday utilities while reporting to the same Command and Control (C2) server. On the surface, they appeared to be legitimate tools. But under the hood, the researchers found that these tools stole users’ data and injected malicious code into their browsing sessions.
At the time of reporting, all 108 extensions are live on the Chrome Web Store. To keep users safe, researchers at Socket have submitted their findings to Google, along with the 108 extensions they detected. Users are advised to take precautionary measures when installing Chrome extensions.
Just as apps are published under unique publishers, Chrome extensions follow the same method, and this operator split all 108 malicious extensions into five unique publishers, namely:
The research team found that each extension is further divided into different roles based on its function. Half of the extensions (54) abuse OAuth flows to target and steal Google account identities. 45 others carry a universal backdoor that grants the attacker access to any URL on the victim’s browser.
The remaining extensions are used to carry out the following malicious behaviors:
While one of the extensions is used to inject attacker-controlled ads into YouTube, the research did not say if such would also affect YouTube Premium subscribers.
At the center of this attack is one simple idea: scale.
By making the extensions appear to be helpful tools, the attacker successfully tricked about 20,000 users into downloading them. Upon installation, each extension behaved normally while performing malicious tasks. The translator did their job. The YouTube and TikTok enhancers did their jobs, likewise every other extension, so that no one could notice.
Every installed Chrome extension can, by default, see and potentially change information on the user’s webpage at any given time. Aside from that, some extensions request additional permissions or even prompt users to sign in using Google OAuth.
One gaming extension, Formula Rush Racing Game (ID: akebbllmckjphjiojeioooidhnddnplj), requires users to log in with Google, enabling it to exfiltrate the user’s Google account identifiers. Socket, in a different report, notes that the extension requires network access and system information and could be used for exploits.
Another extension masqueraded as an internet speed test for Chrome but communicated with C2 servers to steal user data and execute commands. Socket’s specific analysis of it says it requests storage, tabs, and notifications permissions from its victims.
At first glance, this may seem like scattered tools, but it’s more than that. It’s a single malicious pipeline quietly running a network of infected devices.
The attacker published 108 extensions across different categories, coordinated through a single pipeline. That suggests a level of sophistication not many hackers have. And while no group has been named yet, comments found during analysis of some of the extension’s code contained Russian-language content.
To stay safe, do the following:
Also read: Attackers are increasingly abusing trusted software components, and a recent Android SDK malware bridge case showed how a flaw inside legitimate apps could expose millions of users.
Joseph is a Technical Writer with about 3 years of experience in the industry, also advancing a career in cyber threat intelligence. He is passionate about the responsible use of technology, a passion that led him into cybersecurity. As an undergrad, he leads a novel community of technology enthusiasts at his school, NOUN, where he guides and shares resources for beginners in tech. His writing experience includes writing on a diverse range of topics, from consumer tech to startups and tutorials. Additionally, he periodically shares case studies and research reports on cybersecurity on his social media pages.
