An unknown threat actor has been attributed to creating several malicious Chrome Browser extensions since February 2024 that masquerade as seemingly benign utilities but incorporate covert functionality to exfiltrate data, receive commands, and execute arbitrary code.
“The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS),” the DomainTools Intelligence (DTI) team said in a report shared with The Hacker News.
While the browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation.
Another factor that works in the extensions’ favor is that they are configured to grant themselves excessive permissions via the manifest.json file, allowing them to interact with every site visited on the browser, execute arbitrary code retrieved from an attacker-controlled domain, perform malicious redirects, and even inject ads.
The extensions have also been found to rely on the “onreset” event handler on a temporary document object model (DOM) element to execute code, likely in an attempt to bypass content security policy (CSP).
Some of the identified lure websites impersonate legitimate products and services like DeepSeek, Manus, DeBank, FortiVPN, and Site Stats to entice users into downloading and installing the extensions. The add-ons then proceed to harvest browser cookies, fetch arbitrary scripts from a remote server, and set up a WebSocket connection to act as a network proxy for traffic routing.
There is currently no visibility into how victims are redirected to the bogus sites, but DomainTools told the publication that it could involve usual methods like phishing and social media.
“Because they appear in both Chrome Web Store and have adjacent websites, they can return from as results in normal web searches and for searches within the Chrome store,” the company said. “Many of the lure websites used Facebook tracking IDs, which strongly suggests they are leveraging Facebook / Meta apps in some way to attract site visitors. Possibly through Facebook pages, groups, and even ads.”
As of writing, it’s not known who is behind the campaign, although the threat actors have set up over 100 fake websites and malicious Chrome extensions. Google, for its part, has taken down the extensions.
To mitigate risks, users are advised to stick with verified developers before downloading extensions, review requested permissions, scrutinize reviews, and refrain from using lookalike extensions.
That said, it’s also worth keeping in mind that ratings could be manipulated and artificially inflated by filtering negative user feedback.
DomainTools, in an analysis published late last month, found evidence of extensions impersonating DeepSeek that redirected users providing low ratings (1-3 stars) to a private feedback form on the ai-chat-bot[.]pro domain, while sending those providing high ratings (4-5 stars) to the official Chrome Web Store review page.
