Coordinated Malicious Campaign Infiltrates Chrome Web Store
More than 100 extensions currently listed in Google's official Chrome Web Store have been identified as malicious, with researchers confirming they are designed to steal Google OAuth2 Bearer tokens, install backdoors on affected browsers, and carry out ad fraud operations. The discovery was made by researchers at application security firm Socket, who traced the extensions back to a single coordinated campaign sharing a common command-and-control (C2) infrastructure.
According to Socket's findings, the threat actor distributed the extensions under five distinct publisher identities, spreading them across several categories to avoid suspicion. These categories include Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation utility, and general browser tools.
Russian MaaS Operation Suspected
The campaign's backend infrastructure is hosted on a Contabo VPS, with multiple subdomains assigned to handle different malicious functions — including session hijacking, identity harvesting, command execution, and monetization. Socket researchers found evidence suggesting the operation is linked to a Russian malware-as-a-service (MaaS) platform, based on comments embedded in the extensions' source code relating to authentication and session theft routines.
How the Extensions Steal Data
Socket identified several distinct clusters of malicious behavior across the extensions:
- 78 extensions inject attacker-controlled HTML directly into the browser's user interface by exploiting the innerHTML property.
- 54 extensions abuse the chrome.identity.getAuthToken API to harvest the victim's email address, full name, profile picture, and Google account ID. Critically, these extensions also capture the Google OAuth2 Bearer token — a short-lived access credential that allows third-party applications to access account data or act on a user's behalf.
- 45 extensions include a hidden function that activates automatically on browser startup, functioning as a backdoor. This routine contacts the C2 server and can open arbitrary URLs without any user interaction required.
The Most Dangerous Extension: Telegram Session Hijacking
Socket singled out one extension as "the most severe" in the campaign. This extension targets Telegram Web sessions, polling and stealing session data every 15 seconds. It extracts data from localStorage as well as the active session token for Telegram Web before transmitting the information to the C2 server.
"The extension also handles an inbound message (set_session_changed) that performs the reverse operation: it clears the victim's localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram. This allows the operator to swap any victim's browser into a different Telegram account without the victim's knowledge."
This capability effectively enables the attacker to silently take over a victim's Telegram identity in real time, without the target ever realizing their session has been replaced.
Additional Malicious Capabilities
Beyond the major clusters, researchers also uncovered:
- Three extensions that strip browser security headers and inject advertisements into YouTube and TikTok pages.
- One extension that routes translation requests through a malicious intermediary server rather than a legitimate translation service.
- A non-active Telegram session theft extension that appears to be using staged infrastructure, potentially in preparation for future deployment.
Extensions Remain Live on the Chrome Web Store
Socket has formally notified Google about the campaign, but as of the publication of their report, all identified malicious extensions remained accessible on the Chrome Web Store. BleepingComputer independently confirmed that many of the extensions listed in Socket's report were still available at the time of publishing. Google had not responded to a request for comment by the time the article went live.
What Users Should Do Immediately
Socket has published a list of extension IDs associated with this campaign. Users are strongly advised to take the following steps:
- Cross-reference every installed Chrome extension against the IDs published in Socket's report.
- Uninstall any matching extensions immediately.
- Review any Google account activity for signs of unauthorized access, particularly if OAuth tokens may have been exposed.
- Log out of all active Telegram Web sessions and review connected devices if any Telegram-related extensions were installed.
This campaign is a stark reminder that even officially listed extensions in curated storefronts can pose serious threats. The use of multiple publisher identities, diverse extension categories, and shared backend infrastructure reflects a level of operational sophistication designed to evade both automated and manual detection.
Source: BleepingComputer