108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
A coordinated campaign involving 108 malicious Chrome extensions has been identified, collectively installed about 20,000 times. These extensions operate through shared command-and-control infrastructure at cloudapi. stream and perform various malicious activities including stealing Google account identities via OAuth2, exfiltrating Telegram Web sessions, and enabling a universal backdoor for arbitrary URL execution on browser startup. The extensions impersonate legitimate tools such as Telegram sidebar clients, slot games, and social media enhancers, and are published under five different publisher identities. All stolen data is routed to servers controlled by the same operator, indicating a Malware-as-a-Service model. No specific patches or vendor advisories are provided for these extensions.
AI Analysis
Technical Summary
This threat campaign consists of 108 malicious Chrome extensions that share a common command-and-control infrastructure hosted at cloudapi.stream. The extensions are categorized into three main groups: 54 that steal Google account credentials via OAuth2, one that exfiltrates Telegram Web sessions every 15 seconds, and 45 that contain a backdoor allowing arbitrary URL execution on browser startup. These extensions masquerade as legitimate applications across various categories and are published under five distinct publisher identities. The campaign's infrastructure and operations suggest a coordinated Malware-as-a-Service business model. There is no indication of vendor patches or official remediation guidance.
Potential Impact
The campaign enables attackers to steal Google account identities, hijack Telegram Web sessions, and execute arbitrary URLs on browser startup, potentially leading to unauthorized access, data theft, and persistent browser compromise. The shared C2 infrastructure consolidates stolen credentials and session data, increasing the scale and impact of the threat. Approximately 20,000 users are estimated to be affected by these malicious extensions. No known exploits in the wild are reported, but the impact on user privacy and security is significant.
Mitigation Recommendations
No official patches or vendor advisories are available for these malicious extensions. The primary mitigation is to identify and remove these extensions from affected browsers. Users should review installed Chrome extensions and uninstall any that are suspicious or match the identified publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt). Additionally, users should revoke OAuth2 permissions granted to suspicious extensions via their Google account security settings. Monitoring for unusual account activity and changing passwords for affected accounts is recommended. Since this is not a vulnerability in Chrome itself but malicious extensions, remediation relies on user and administrator action to remove the extensions and revoke permissions.
Indicators of Compromise
- ip: 144.126.135.238
- domain: cloudapi.stream
- domain: interalt.net
- domain: message.data
- domain: nashprom.info
- domain: profile.email
- domain: profile.name
- domain: webuk.tech
- email: support@top.rodeo
- domain: api.cloudapi.stream
- domain: cdn.cloudapi.stream
- domain: chat.cloudapi.stream
- domain: chrome.runtime.id
- domain: coin-miner.cloudapi.stream
- domain: crm.cloudapi.stream
- domain: gamewss.cloudapi.stream
- domain: goldminer.cloudapi.stream
- domain: herculessportslegend.cloudapi.stream
- domain: metal.cloudapi.stream
- domain: mines.cloudapi.stream
- domain: multiaccount.cloudapi.stream
- domain: tg.cloudapi.stream
- domain: topup.cloudapi.stream
- domain: wheel.cloudapi.stream
- url: http://api.cloudapi.stream:8443/Register
- url: http://api.cloudapi.stream:8443/Translation
- url: http://cloudapi.stream/install/
- url: http://cloudapi.stream/uninstall/
- url: http://mines.cloudapi.stream/auth_google
- url: http://mines.cloudapi.stream/slot_test/
- url: http://mines.cloudapi.stream/user_info
- url: http://tg.cloudapi.stream/count_sessions.php
- url: http://tg.cloudapi.stream/delete_session.php
- url: http://tg.cloudapi.stream/get_session.php
- url: http://tg.cloudapi.stream/get_sessions.php
- url: http://tg.cloudapi.stream/save_session.php
- url: http://tg.cloudapi.stream/save_title.php
- url: http://top.rodeo/notify.php
- url: http://top.rodeo/server/remote.php
- url: http://top.rodeo/server/remote3.php
- domain: cloudapi.stream
- domain: api.cloudapi.stream
- domain: mines.cloudapi.stream
- domain: tg.cloudapi.stream
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
Description
A coordinated campaign involving 108 malicious Chrome extensions has been identified, collectively installed about 20,000 times. These extensions operate through shared command-and-control infrastructure at cloudapi. stream and perform various malicious activities including stealing Google account identities via OAuth2, exfiltrating Telegram Web sessions, and enabling a universal backdoor for arbitrary URL execution on browser startup. The extensions impersonate legitimate tools such as Telegram sidebar clients, slot games, and social media enhancers, and are published under five different publisher identities. All stolen data is routed to servers controlled by the same operator, indicating a Malware-as-a-Service model. No specific patches or vendor advisories are provided for these extensions.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat campaign consists of 108 malicious Chrome extensions that share a common command-and-control infrastructure hosted at cloudapi.stream. The extensions are categorized into three main groups: 54 that steal Google account credentials via OAuth2, one that exfiltrates Telegram Web sessions every 15 seconds, and 45 that contain a backdoor allowing arbitrary URL execution on browser startup. These extensions masquerade as legitimate applications across various categories and are published under five distinct publisher identities. The campaign's infrastructure and operations suggest a coordinated Malware-as-a-Service business model. There is no indication of vendor patches or official remediation guidance.
Potential Impact
The campaign enables attackers to steal Google account identities, hijack Telegram Web sessions, and execute arbitrary URLs on browser startup, potentially leading to unauthorized access, data theft, and persistent browser compromise. The shared C2 infrastructure consolidates stolen credentials and session data, increasing the scale and impact of the threat. Approximately 20,000 users are estimated to be affected by these malicious extensions. No known exploits in the wild are reported, but the impact on user privacy and security is significant.
Mitigation Recommendations
No official patches or vendor advisories are available for these malicious extensions. The primary mitigation is to identify and remove these extensions from affected browsers. Users should review installed Chrome extensions and uninstall any that are suspicious or match the identified publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt). Additionally, users should revoke OAuth2 permissions granted to suspicious extensions via their Google account security settings. Monitoring for unusual account activity and changing passwords for affected accounts is recommended. Since this is not a vulnerability in Chrome itself but malicious extensions, remediation relies on user and administrator action to remove the extensions and revoke permissions.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2"]
- Adversary
- null
- Pulse Id
- 69de5f631a2f4bca81392ccd
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip144.126.135.238 | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincloudapi.stream | — | |
domaininteralt.net | — | |
domainmessage.data | — | |
domainnashprom.info | — | |
domainprofile.email | — | |
domainprofile.name | — | |
domainwebuk.tech | — | |
domainapi.cloudapi.stream | — | |
domaincdn.cloudapi.stream | — | |
domainchat.cloudapi.stream | — | |
domainchrome.runtime.id | — | |
domaincoin-miner.cloudapi.stream | — | |
domaincrm.cloudapi.stream | — | |
domaingamewss.cloudapi.stream | — | |
domaingoldminer.cloudapi.stream | — | |
domainherculessportslegend.cloudapi.stream | — | |
domainmetal.cloudapi.stream | — | |
domainmines.cloudapi.stream | — | |
domainmultiaccount.cloudapi.stream | — | |
domaintg.cloudapi.stream | — | |
domaintopup.cloudapi.stream | — | |
domainwheel.cloudapi.stream | — | |
domaincloudapi.stream | — | |
domainapi.cloudapi.stream | — | |
domainmines.cloudapi.stream | — | |
domaintg.cloudapi.stream | — |
| Value | Description | Copy |
|---|---|---|
emailsupport@top.rodeo | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://api.cloudapi.stream:8443/Register | — | |
urlhttp://api.cloudapi.stream:8443/Translation | — | |
urlhttp://cloudapi.stream/install/ | — | |
urlhttp://cloudapi.stream/uninstall/ | — | |
urlhttp://mines.cloudapi.stream/auth_google | — | |
urlhttp://mines.cloudapi.stream/slot_test/ | — | |
urlhttp://mines.cloudapi.stream/user_info | — | |
urlhttp://tg.cloudapi.stream/count_sessions.php | — | |
urlhttp://tg.cloudapi.stream/delete_session.php | — | |
urlhttp://tg.cloudapi.stream/get_session.php | — | |
urlhttp://tg.cloudapi.stream/get_sessions.php | — | |
urlhttp://tg.cloudapi.stream/save_session.php | — | |
urlhttp://tg.cloudapi.stream/save_title.php | — | |
urlhttp://top.rodeo/notify.php | — | |
urlhttp://top.rodeo/server/remote.php | — | |
urlhttp://top.rodeo/server/remote3.php | — |
Threat ID: 69de616b82d89c981fbc694d
Added to database: 4/14/2026, 3:46:51 PM
Last enriched: 4/14/2026, 4:01:50 PM
Last updated: 4/14/2026, 9:56:24 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.