A wave of over 40 malicious Chrome browser extensions, many still available in the official Chrome Web Store, has been discovered by security researchers at LayerX.
These extensions, identified as components of at least three coordinated phishing campaigns, are actively stealing sensitive information from unsuspecting users by masquerading as legitimate, popular brands.
The initial discovery was made by the DomainTools Intelligence (DTI) team, who flagged a series of suspicious domains interacting with browser extensions that imitated well-known digital services.
Building on this, LayerX analysts conducted further technical investigation, correlating flagged URLs with Chrome extension metadata and exposing the full ecosystem behind the threat.
Their analysis identified extension IDs, names, publisher domains, and release/update timelines, revealing a sophisticated and rapidly evolving malicious infrastructure.
AI-Driven Scalability
One of the most striking features of this campaign is the use of AI-generated content to create extension pages with nearly identical structures, formatting, and promotional language.
This automation has allowed attackers to scale their operations quickly, deploying dozens of unique but similarly disguised extensions with minimal human effort.
These fake tools mimic widely used brands such as Fortinet’s FortiVPN, DeepSeek AI, Calendly, various YouTube helper applications, and cryptocurrency utilities like DeBank, among others. The attackers employ a multifaceted strategy of deception.
They register domain names closely resembling those of the impersonated brands (for example, “calendlydaily[.]world” and “calendly-director[.]com”) and supply publisher contact addresses using convincing formats such as “support@[malicious-domain]”, lending an additional air of legitimacy.
Notably, publisher details use custom domains rather than generic email services, further enhancing their apparent credibility in the Chrome Store.
Persistent Data Theft
These malicious extensions typically request excessive permissions, allowing threat actors persistent access to browser sessions.
Once installed, they can harvest authentication tokens, personal data, and sensitive corporate information, while also enabling attackers to impersonate users or breach internal networks.
Some extensions even remain functional and dangerous after being removed from the Chrome Store, as existing installations persist in users’ browsers unless manually uninstalled.
The ongoing campaign highlights a significant blind spot for both individuals and organizations—the security of browser extensions. Malicious plugins can bypass endpoint defenses, facilitating credential theft and lateral movement within enterprise environments.
Experts stress the need for proactive and layered defensive measures. Organizations should consider the following steps:
- Enforce strict extension policies via management tools, blocking unknown or recently published extensions and those demanding suspicious permissions.
- Regularly audit installed browser extensions, especially those mimicking popular brands or originating from non-official domains.
- Remove extensions immediately if they have been identified as malicious, even if they are no longer present in the Chrome Store.
LayerX has responded by offering a browser security platform that continuously identifies and blocks risky extensions, automates detection of suspicious behaviors, and enforces granular security policies across organizational environments.
Indicators of Compromise (IOC)
| Extension ID | Extension Name | Publisher Domain |
|---|---|---|
| ccollcihnnpcbjcgcjfmabegkpbehnip | FortiVPN | forti-vpn[.]com |
| aeibljandkelbcaaemkdnbaacppjdmom | Manus AI | Free AI Assistant | manusai[.]sbs |
| fcfmhlijjmckglejcgdclfneafoehafm | Site Stats | sitestats[.]world |
| abbngaojehjekanfdipifimgmppiojpl | Clothing Brand Name Generator | clothingbrandnamegenerator[.]app |
| dohmiglipinohflhapdagfgbldhmoojl | DeBank – Digital Assets | winchester[.]abram37 |
| acmiibcdcmaghndcahglamnhnlmcmlng | AML Sector | Free Crypto AML Checker | amlsector[.]com |
| mipophmjfhpecleajkijfifmffcjdiac | Crypto Whales Vision | cryptowhalesvision[.]world |
| cknmibbkfbephciofemdjndbgebggnkc | Calendly Daily | Free Meeting Scheduling Software | calendly-daily[.]com |
| gmigkpkjegnpmjpmnmgnkhmoinpgdnfc | Calendly Docket | Free Meeting Scheduling Software | calendly-docket[.]com |
| ahgccenjociolkbpgbfibmfclcfnlaei | CreativeHunter – Free tool for Facebook | creativehunter[.]world |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
