A threat actor has orchestrated a sustained campaign to create and distribute over 100 malicious Chrome browser extensions since at least February 2024, leveraging the Chrome Web Store (CWS) as a delivery platform.
The operation is characterized by the creation of convincing lure websites that imitate legitimate services, productivity tools, ad analysis platforms, VPNs, and financial solutions.
By enticing users with seemingly useful browser extensions, the attackers succeed in installing malware capable of credential theft and remote code execution.
Threat Actor Exploits Chrome Web Store
Analysis of the campaign reveals dual-purpose Chrome extensions that appear fully or partially functional according to their advertised themes.
Behind this facade, these extensions establish persistent communication with attacker-controlled servers, sending sensitive information, receiving remote commands, and executing arbitrary scripts on users’ browsers.
In many cases, excessive permissions are requested in the manifest.json files, allowing the extensions to interact with every site visited and circumvent Chrome’s content security policy (CSP) protections.
Technical investigation identifies sophisticated evasion techniques, like using “onreset” event handlers within temporary DOM elements to initiate code execution, and hardcoded API endpoints embedded within background scripts (background.js or background.iife.js).
This design allows the attacker to dynamically update malicious behaviors post-installation, bypassing static reviews during Chrome Web Store submission.
The lure domains and corresponding extensions share striking consistencies in their infrastructure.
Domains are frequently registered through NameSilo, LLC, utilize Cloudflare for name service, and feature SSL certificates from issuers like WE1.
Tactics such as embedding Facebook Tracker IDs in lure sites enhance the campaign’s reach and tracking capabilities.
Hundreds of domains have been attributed to the operation, spanning themes from AI assistants (DeepSeek AI) to VPNs (e.g., FortiVPN), and fake analytics tools (SiteStats).
Allow Attackers to Execute Arbitrary Code
The extensions meticulously implement mechanisms for exfiltrating browser cookies, harvesting login credentials, and establishing web proxy tunnels, effectively routing victim traffic through malicious servers.
For instance, the FortiVPN-themed extension maintains WebSocket connections with attacker backends, receives custom commands, and can retrieve and transmit all browser cookies (often compressed and base64 encoded).
Other extensions inject arbitrary scripts into active browser tabs, enable dynamic modification of network requests (using Chrome’s declarativeNetRequest API), and can perform phishing via DOM manipulation or ad injection.
A consistent security failure observed is the hardcoding of third-party API keys including those for legitimate services within the extension code.
This flaw not only weakens user privacy but also enables attackers to impersonate users or abuse these services for further attacks.
Authentication to actor infrastructure is established using JWT tokens, with payloads signed via HMAC-SHA256.
The tokens integrate extension identifiers and system fingerprints, and are base64-encoded before transmission to the attacker’s servers.
This design supports dynamic, on-demand delivery of malicious payloads and minimizes static indicators for defensive detection.
Google has responded by removing multiple identified malicious extensions from the Chrome Web Store, but detection lags and the rapid adaptability of the threat actor continue to endanger users, especially those seeking trending productivity or AI tools.
The campaign leverages the powerful set of extension APIs, current technology trends, and social engineering via fake websites to maintain infection rates and persist in user environments.
Security experts advise Chrome users to exercise caution by installing extensions only from verified sources, scrutinizing permissions, regularly auditing browser extensions, and ensuring browsers and security software are up-to-date.
The ongoing campaign underscores the evolving sophistication of browser-based threats and the necessity for heightened user vigilance.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
