The threat involves a popular Chrome VPN browser extension named FreeVPN.One, which had over 100,000 installs before it was discovered to have turned into spyware following an update in April 2025. Originally a legitimate VPN service, the extension began covertly capturing screenshots of every webpage visited by users and uploading these images to an attacker-controlled domain. In addition to screenshot capture, the spyware exfiltrates sensitive device and location data at installation and startup, enabling attackers to gather extensive personal and behavioral information. The developer’s evasive response, claiming the screenshot functionality was for scanning suspicious domains, indicates malicious intent or at least deceptive practices. This spyware leverages browser extension capabilities to operate stealthily, bypassing typical user awareness and security controls. The threat is significant because browser extensions, especially VPNs, are often trusted by users to protect privacy, yet this extension actively violates user privacy and security. The attack techniques correspond to MITRE ATT&CK tactics such as screen capture (T1113), input capture (T1056.001), command and scripting interpreter usage (T1059.007), data from local system (T1005), and data exfiltration (T1102.002). The URLs associated with the exfiltration infrastructure (e.g., http://aitd.one/analyze.php) further confirm the malicious data transmission. There are no known exploits in the wild beyond this extension’s update, but the risk remains high due to the extension’s popularity and stealthy operation. This incident highlights the critical need for rigorous scrutiny of browser extensions, especially those promising privacy services like VPNs, as they can become vectors for spyware and data theft.

For European organizations, this threat poses a significant risk to confidentiality and privacy. Employees using the compromised VPN extension could inadvertently leak sensitive corporate information, including internal web portals, confidential communications, and proprietary data, through screenshots and metadata exfiltration. The collection of device and location data also raises compliance concerns under GDPR and other privacy regulations, potentially leading to legal and financial penalties. The covert nature of the spyware means that detection may be delayed, increasing the window for data compromise. Organizations relying on browser-based VPN extensions for secure remote access or privacy could face erosion of trust and operational security. Additionally, the threat could facilitate targeted espionage or competitive intelligence gathering if attackers correlate exfiltrated data with organizational activities. The medium severity rating reflects the balance between the ease of exploitation (automatic post-update installation) and the scope of impact, which depends on user adoption within organizations. However, the potential for widespread data leakage and regulatory non-compliance makes this a serious concern for European enterprises.

1. Immediate removal of the FreeVPN.One Chrome extension from all organizational devices and networks. 2. Implement strict browser extension policies via group policy or endpoint management solutions to whitelist only vetted and approved extensions. 3. Conduct audits of installed browser extensions across corporate devices to identify and remove any unauthorized or suspicious extensions. 4. Educate employees on the risks of installing third-party browser extensions, especially those offering privacy or VPN services, emphasizing the importance of verifying developer credibility and reviews. 5. Monitor network traffic for unusual outbound connections to suspicious domains such as those identified (e.g., aitd.one) and block them at the firewall or proxy level. 6. Deploy endpoint detection and response (EDR) tools capable of detecting unusual screenshot capture or data exfiltration behaviors. 7. Regularly review and update privacy and security policies to address risks from browser extensions and enforce compliance with GDPR and other relevant regulations. 8. Encourage use of reputable VPN services that do not rely on browser extensions or that have undergone independent security audits. 9. Maintain up-to-date threat intelligence feeds to quickly identify emerging malicious extensions or updates.