A recent investigation by the Socket Threat Research Team has revealed a sophisticated and persistent campaign targeting Firefox users with malicious browser extensions, capable of credential theft, unauthorized surveillance, and affiliate hijacking.
The discoveries underscore a growing trend where attackers exploit trusted browser environments, leveraging popular gaming and utility themes to maximize user reach and evade detection.
Researchers disclosed the presence of over 40 malicious Firefox add-ons this month alone, echoing a broader trend affecting all major browsers, with earlier waves impacting Chrome users through more than 100 fake extensions.
Coordinated Attack Campaign
The research began with the exposure of a single rogue gaming extension, “Shell Shockers,” which redirected unsuspecting users to fraudulent tech support scams.
Further analysis unraveled an interconnected network of fake gaming add-ons, operated by a persistent threat actor identified as ‘mre1903.’
mre1903 profileBy mimicking well-known games such as Little Alchemy 2, 1v1.LOL, Five Nights at Freddy’s, Bubble Spinner, and Krunker io, these extensions exploited user familiarity and bypassed initial skepticism.
Once installed, victims were redirected to high-risk destinations including betting websites and fake Apple virus alerts, often employing scare tactics and social engineering to lure sensitive user data and money.
mre1903’s extensions redirecting to Fake Apple Virus alerts and shady betting websitesWhat makes this campaign particularly insidious is its maturity and persistence. The mre1903 account has been active since 2018, with a surge in malicious extension releases from late 2020 to early 2021.
None of the impostor gaming add-ons delivered actual entertainment; every installation triggered pop-up windows leading to scams, with attack infrastructure distributed across multiple domains to evade detection.
The attackers’ strategic use of recognizable brands and reliable update mechanisms showcases an evolved approach to browser-based social engineering.
Malicious Utility Add-ons Escalate Risk
While the gaming extensions’ primary goal centers on scam redirection and adware, researchers also discovered utility-themed spyware and credential theft tools masquerading as productivity aids.
The “GimmeGimme” extension, for example, claimed to offer wishlist functionality for popular Dutch and Belgian e-commerce platforms.
Instead, it covertly hijacked affiliate sessions, redirecting shopping traffic through attacker-controlled URLs and silently monetizing user actions without delivering promised features.
Such abuse of affiliate programs not only erodes user trust but also creates a foundation for more intrusive surveillance or malware propagation.
A more egregious threat emerged with “VPN – Grab A Proxy – Free,” which posed as a privacy tool while surreptitiously injecting invisible tracking iframes and routing all browser traffic through attacker-defined proxy servers.
This allowed for the interception and potential decryption of user sessions, exposing credentials, private communications, and even financial information to adversaries.
The manipulation of proxy settings also lowers the barrier for man-in-the-middle attacks, further compromising user privacy and security.
According to the Report, The most alarming discovery centered on “CalSyncMaster,” a browser extension that claimed to synchronize Google Calendar data.
By exploiting the OAuth authentication flow, it harvested Google access tokens, granting attackers continuous read access to victims’ calendars and associated sensitive information.
Although it initially requested read-only permissions, the underlying architecture could scale to broader privileges, raising the specter of targeted phishing, social engineering, and advanced persistent threat operations against individuals and organizations.
The evolution from basic scam redirects to advanced data harvesting and persistent surveillance highlights the need for regular auditing of browser extensions and heightened scrutiny of requested permissions.
Organizations are urged to implement extension allow-lists and monitor for unauthorized proxy changes, while individual users should remain skeptical of add-ons requesting broad permissions or lacking clear, functional value.
Indicators of Compromise (IOCs)
| Category | Name/Domain |
|---|---|
| Malicious Domains | funformathgame[.]com |
| polar-shore-05125-b49ae913d73c[.]herokuapp[.]com | |
| Malicious Extensions | CalSyncMaster |
| VPN – Grab a Proxy – Free | |
| GimmeGimme | |
| Five Nights at Freddy’s | |
| Little Alchemy 2 | |
| Bubble Spinner | |
| 1v1.LOL | |
| Krunker io Game | |
| Threat Actor | mre1903 |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
