.png)
2 weeks ago
4
An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
"The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions on Google's Chrome Web Store (CWS)," the DomainTools Intelligence (DTI) team said in a report shared with The Hacker News.
While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation.
Another factor that works in the extensions' favor is that they are configured to grant themselves excessive permissions via the manifest.json file, allowing them to interact with every site visited on the browser, execute arbitrary code retrieved from an attacker-controlled domain, perform malicious redirects, and even inject ads.
The extensions have also been found to rely on the "onreset" event handler on a temporary document object model (DOM) element to execute code, likely in an attempt to bypass content security policy (CSP).
Some of the identified lure websites impersonate legitimate products and services like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats to entice users into downloading and installing the extensions. The add-ons then proceed to harvest browser cookies, fetch arbitrary scripts from a remote server, and set up a WebSocket connection to act as a network proxy for traffic routing.
There is currently no visibility into how victims are redirected to the bogus sites, but DomainTools told the publication that it could involve usual methods like phishing and social media.
"Because they appear in both Chrome Web Store and have adjacent websites, they can return from as results in normal web searches and for searches within the Chrome store," the company said. "Many of the lure websites used Facebook tracking IDs, which strongly suggests they are leveraging Facebook / Meta apps in some way to attract site visitors. Possibly through Facebook pages, groups, and even ads."
As of writing, it's not known who is behind the campaign, although the threat actors have set up over 100 fake websites and malicious Chrome extensions. Google, for its part, has taken down the extensions.
To mitigate risks, users are advised to stick with verified developers before downloading extensions, review requested permissions, scrutinize reviews, and refrain from using lookalike extensions.
That said, it's also worth keeping in mind that ratings could be manipulated and artificially inflated by filtering negative user feedback.
DomainTools, in an analysis published late last month, found evidence of extensions impersonating DeepSeek that redirected users providing low ratings (1-3 stars) to a private feedback form on the ai-chat-bot[.]pro domain, while sending those providing high ratings (4-5 stars) to the official Chrome Web Store review page.
Update
In a follow-up analysis, LayerX said it identified over 40 malicious browser extensions that are part of three distinct phishing campaigns, many of which it said are still available for download from the Chrome Web Store.
The extensions, the browser security company said, are designed to impersonate popular tools/brands and exhibit similar structure, formatting, and language, raising the possibility that they may have been auto-generated using AI tools.
"This tactic enabled threat actors to rapidly scale their efforts across dozens of fake tools with minimal manual effort," LayerX said. "These extensions grant attackers persistent access to user sessions, allowing for data theft, impersonation, and potential entry into corporate environments."
Or Eshed, CEO of LayerX Security, noted that removing the add-ons from the Chrome Web Store does not automatically uninstall them from end users' devices, requiring users to manually get rid of them. The complete list of extensions can be accessed here.
"This is especially a problem in organizations, where even a single compromised endpoint or corporate account can lead to exposure at the organizational level," Eshed said. "Our best practice recommendation to organizations is to check each of these extensions individually to make sure they are removed from all enterprise endpoints."
"Moreover, we encourage organizations to deploy proactive extension security rules to block key risk indicators such as extensions with unverified publishers or extensions that communicate with suspicious domains."
(The story was updated after publication on May 23, 2025, to include new findings from LayerX.)
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
