100 Chrome Extensions Steals Data and Creates Backdoor

Summary

Security researchers have identified a large-scale malicious campaign involving 108 Chrome extensions designed to steal user data, create backdoors, and inject malicious content.

The extensions:
• Installed by over 20,000 users
• Published through multiple developer accounts
• Share the same command-and-control (C2) infrastructure

Research Source

According to Socket, the extensions were distributed under different publisher names but are part of a coordinated campaign.

Malicious developer accounts:
• GameGen
• InterAlt
• SideGames
• Rodeo Games
• Yana Project

All extensions connect to a shared backend, confirming centralized control.

Technical Details

The extensions were disguised as legitimate tools such as:
• Telegram clients
• YouTube/TikTok enhancers
• Games (slot, Keno)
• Translation tools

Malicious capabilities include:

Credential Theft
• Steal Google accounts via OAuth2 tokens
• Collect user identity data (email, name, profile picture)

Backdoor Functionality
• 45 extensions contain a universal backdoor
• Opens attacker-controlled URLs on browser startup

Session Hijacking
• Steal Telegram web sessions
• Overwrite local storage to take over accounts

Content Injection
• Inject ads into YouTube and TikTok
• Run scripts across all visited websites

Data Exfiltration
• Proxy user data through attacker-controlled servers

Observed Attack Activity

Initial Access
• Users install seemingly legitimate Chrome extensions

Execution
• Malicious background scripts run silently

Persistence
• Backdoor activates automatically on browser startup
• Does not require user interaction

Command & Control
• Extensions communicate with shared C2 infrastructure
• Receive instructions dynamically

Account Takeover
• Telegram session hijacking
• Google account profiling via OAuth

Threat Actor

Attribution:
• Unknown threat actor (coordinated campaign)

Indicators suggest:
• Organized cybercriminal operation
• Focus on scalable browser-based attacks
• Use of multiple publisher accounts for evasion

Impact

This campaign poses significant risks:

• Compromise of Google and Telegram accounts
• Persistent browser-level backdoor access
• Exposure of personal and session data
• Injection of malicious or unwanted content

For organizations:
• Risk of credential theft from corporate accounts
• Potential entry point into enterprise environments
• Increased phishing and social engineering exposure

Mitigation

Recommended actions:

Audit and remove suspicious Chrome extensions
Restrict extension installation via enterprise policies
Monitor browser behavior for:
• Unexpected tab openings
• Unauthorized scripts
Revoke compromised OAuth tokens
Enable multi-factor authentication (MFA)
Use browser security tools or EDR monitoring

References
• https://www.securityweek.com/100-chrome-extensions-steal-user-data-open-backdoor/

• This topic was modified 1 week, 1 day ago by Rameses Quiambao.