A new campaign has been spotted that spreads over 100 malicious Google Chrome extensions designed to steal user data and manipulate web browsing.
According to security firm Socket, the extensions all connect to the same command-and-control (C&C) servers, allowing attackers to gather sensitive information such as login credentials, browsing activity, and user identities. The extensions have been published under five different developer names and have reached around 20,000 installs on the Chrome Web Store.
Researchers found that 54 of the extensions specifically target Google account data using OAuth2, while 45 include a hidden backdoor that can open websites automatically when the browser starts. Others perform various malicious actions, such as stealing Telegram session data, removing security protections from sites like YouTube and TikTok, injecting ads and scripts into web pages, and routing translation requests through attacker-controlled servers.
To appear legitimate, the extensions pose as helpful tools, including Telegram clients, gaming apps, video enhancers, and translation utilities.
Researchers say it is still unclear who is behind the operation, although some clues in the code suggest Russian-language origins. Users are advised to review installed extensions and remove any suspicious or unfamiliar ones.
A full list of malicious extensions and Indicators of Compromise (IoCs) attributed to this campaign are available in Socket’s report.