Over 100 Chrome extensions caught stealing user data, hijacking sessions, and back-dooring browsers via coordinated malware campaign.
Security researchers have uncovered a large-scale campaign involving 108 malicious Chrome extensions designed to steal user data, hijack active sessions, and secretly backdoor web browsers.
The operation was identified by cybersecurity firm Socket, which linked the extensions to a shared back-end infrastructure hosted on suspicious domains. Despite appearing unrelated, the extensions were published under multiple developer accounts but connected to the same command-and-control systems.
The extensions disguised themselves as legitimate tools, including messaging clients, browser utilities, and online games. While functioning as advertised, they simultaneously executed hidden code to communicate with attacker-controlled servers.
One of the most serious findings involved extensions capable of stealing Telegram session data by extracting authentication tokens directly from browser storage. This allowed attackers to take over accounts without needing passwords or two-factor authentication.
In parallel, dozens of extensions abused Google OAuth2 authentication to collect user profile data such as email addresses, names, and account identifiers, enabling long-term tracking of victims.
Researchers also discovered that many of the extensions included hidden backdoor functions that activated when the browser started. These features allowed attackers to:
- Open arbitrary websites
- Inject ads or malicious content
- Turn infected browsers into traffic-generation tools
- Execute remote commands
This effectively gave attackers persistent control over users’ browsers.
All 108 extensions were tied to a centralized infrastructure using shared code, domains, and developer patterns, suggesting a single coordinated threat actor or group behind the campaign.
Some parts of the infrastructure supported monetization features, indicating the operation may function as a malware-as-a-service (MaaS) platform where stolen data and access are resold.
The extensions accumulated around 20,000 installs and were still available on the Chrome Web Store at the time of discovery, although takedown requests have been submitted.
Researchers warn users to review installed extensions immediately, remove any suspicious add-ons, and revoke unnecessary account permissions.
The findings highlight ongoing risks in browser extension ecosystems, where seemingly harmless tools can act as stealth malware platforms embedded directly in users’ browsers.
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
