Since February 2024, an unknown threat actor has been deploying a widespread campaign involving malicious Chrome browser extensions distributed via over 100 fake websites. These extensions exhibit dual-functionality: they provide legitimate or seemingly useful browser features to avoid suspicion while simultaneously performing covert malicious activities. Upon installation, the extensions request excessive permissions that enable them to access sensitive browser data and system information. They establish encrypted communications with attacker-controlled API endpoints to exfiltrate data and receive dynamic commands and code updates, allowing the malware to adapt and evade detection. The malicious capabilities include stealing cookies, which can lead to session hijacking and account compromises, manipulating web traffic to alter user interactions or inject malicious content, and executing arbitrary code within the browser context. The extensions employ various evasion techniques to bypass Chrome’s security mechanisms and detection by security tools. Despite some removals by the Chrome Web Store, the actor remains persistent, continuously creating new fake websites and extensions that exploit trending topics to lure users seeking productivity tools or browser enhancements. This campaign leverages a broad range of tactics, techniques, and procedures (TTPs) including credential access, system information discovery, command and control communication, and code injection, as indicated by the referenced MITRE ATT&CK techniques (e.g., T1113, T1033, T1114, T1119, T1082, T1071, T1176, T1140, T1555, T1185, T1016, T1059, T1083, T1102, T1573, T1056, T1012, T1132, T1189, T1124). The campaign’s sophistication and persistence pose a significant threat to users and organizations relying on Chrome extensions for daily operations.

For European organizations, this threat can lead to substantial confidentiality breaches through the theft of cookies and credentials, enabling unauthorized access to corporate accounts and sensitive data. The arbitrary code execution capability within the browser context can facilitate further compromise of internal networks, lateral movement, or deployment of additional malware. Traffic manipulation may disrupt normal business operations, cause data integrity issues, or facilitate phishing and fraud. The campaign’s use of dynamic command and control infrastructure complicates detection and remediation efforts, increasing the risk of prolonged undetected presence. Organizations with employees who frequently use Chrome extensions, especially those in sectors handling sensitive personal or financial data (e.g., finance, healthcare, government), are at elevated risk. The persistence of the threat actor and their exploitation of trending topics to lure users also increase the likelihood of infection. This can result in reputational damage, regulatory penalties under GDPR due to data breaches, and operational disruptions.

1. Implement strict browser extension policies via enterprise management tools to allow installation only from trusted sources and whitelist approved extensions. 2. Conduct regular audits of installed browser extensions across the organization to identify and remove unauthorized or suspicious ones. 3. Educate employees about the risks of installing extensions from unverified websites and the importance of verifying extension legitimacy via official stores and reviews. 4. Deploy endpoint detection and response (EDR) solutions capable of monitoring browser processes and network traffic for anomalous behaviors such as unusual API communications or encrypted data exfiltration. 5. Utilize network security controls to block known malicious API domains and monitor DNS queries for suspicious patterns related to the campaign. 6. Enforce multi-factor authentication (MFA) on all critical accounts to mitigate the impact of credential theft. 7. Regularly update and patch browsers and security tools to leverage the latest protections against extension-based threats. 8. Collaborate with threat intelligence providers to stay informed about emerging malicious extensions and indicators of compromise related to this campaign. 9. Consider deploying browser isolation technologies for high-risk users to contain potential malicious extension activities. 10. Implement strict data access controls and monitor for unusual account activities that may indicate compromise stemming from this threat.