ModHeader Malware: Inside the Chrome Spyware Google Removed
ModHeader, a widely used Chrome developer extension, was removed from the Chrome Web Store after being found to contain hidden spyware and adware. Version 7.0.18 included a covert SDK disguised as a date library that harvested visited domain names, encrypted them, and was set to upload this data daily to a suspicious domain. Although the data collection was dormant due to an empty allowlist, the exfiltration infrastructure was fully present. The extension also exhibited adware behavior by opening affiliate tabs on updates, including on enterprise-managed devices. The malicious code was signed by the official Chrome Web Store, affecting both Chrome and Edge users. Forensic analysis showed the extension locally stored a large amount of sensitive HTTP headers, but no successful data exfiltration was observed in analyzed systems.
AI Analysis
Technical Summary
ModHeader version 7.0.18 contained malicious code hidden within a legitimate Chrome extension. This code included a covert SDK masquerading as the 'dayjs' date library, which harvested visited domain names and encrypted them using AES-GCM. The data was configured to be exfiltrated daily to the domain api.stanfordstudies.com. Despite the presence of a fully operational exfiltration mechanism, data collection remained inactive due to an empty allowlist. Additionally, the extension engaged in adware activity by opening affiliate tabs on every update, impacting both regular and enterprise-managed machines. The extension was distributed via the official Chrome Web Store with valid signatures, affecting users of both Chrome and Edge browsers. Forensic investigations revealed local storage of 178MB of sensitive HTTP headers from browsing activity, though no evidence of successful data exfiltration was found on analyzed systems.
Potential Impact
The spyware component of ModHeader could have compromised user privacy by harvesting visited domain names and sensitive HTTP headers. The adware behavior caused unwanted affiliate tab openings, potentially disrupting user experience and generating fraudulent ad revenue. Although no confirmed data exfiltration occurred in analyzed cases, the presence of a fully functional exfiltration infrastructure indicates a significant risk of data leakage if activated. The malicious code's distribution through the official Chrome Web Store and valid signatures increased the risk of widespread exposure among Chrome and Edge users.
Mitigation Recommendations
Google has removed the malicious ModHeader extension from the Chrome Web Store, effectively preventing further installations. Users should uninstall any existing installations of ModHeader version 7.0.18 or later. Since the malicious code was distributed via the official store, users should verify extensions for authenticity and monitor for suspicious behavior. No official patch or update is available; remediation involves removal of the compromised extension. Enterprise administrators should audit managed devices for the presence of this extension and remove it to prevent adware and spyware activity.
Indicators of Compromise
- url: https://modheader.com/api/ad-settings
- domain: api.stanfordstudies.com
ModHeader Malware: Inside the Chrome Spyware Google Removed
Description
ModHeader, a widely used Chrome developer extension, was removed from the Chrome Web Store after being found to contain hidden spyware and adware. Version 7.0.18 included a covert SDK disguised as a date library that harvested visited domain names, encrypted them, and was set to upload this data daily to a suspicious domain. Although the data collection was dormant due to an empty allowlist, the exfiltration infrastructure was fully present. The extension also exhibited adware behavior by opening affiliate tabs on updates, including on enterprise-managed devices. The malicious code was signed by the official Chrome Web Store, affecting both Chrome and Edge users. Forensic analysis showed the extension locally stored a large amount of sensitive HTTP headers, but no successful data exfiltration was observed in analyzed systems.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
ModHeader version 7.0.18 contained malicious code hidden within a legitimate Chrome extension. This code included a covert SDK masquerading as the 'dayjs' date library, which harvested visited domain names and encrypted them using AES-GCM. The data was configured to be exfiltrated daily to the domain api.stanfordstudies.com. Despite the presence of a fully operational exfiltration mechanism, data collection remained inactive due to an empty allowlist. Additionally, the extension engaged in adware activity by opening affiliate tabs on every update, impacting both regular and enterprise-managed machines. The extension was distributed via the official Chrome Web Store with valid signatures, affecting users of both Chrome and Edge browsers. Forensic investigations revealed local storage of 178MB of sensitive HTTP headers from browsing activity, though no evidence of successful data exfiltration was found on analyzed systems.
Potential Impact
The spyware component of ModHeader could have compromised user privacy by harvesting visited domain names and sensitive HTTP headers. The adware behavior caused unwanted affiliate tab openings, potentially disrupting user experience and generating fraudulent ad revenue. Although no confirmed data exfiltration occurred in analyzed cases, the presence of a fully functional exfiltration infrastructure indicates a significant risk of data leakage if activated. The malicious code's distribution through the official Chrome Web Store and valid signatures increased the risk of widespread exposure among Chrome and Edge users.
Mitigation Recommendations
Google has removed the malicious ModHeader extension from the Chrome Web Store, effectively preventing further installations. Users should uninstall any existing installations of ModHeader version 7.0.18 or later. Since the malicious code was distributed via the official store, users should verify extensions for authenticity and monitor for suspicious behavior. No official patch or update is available; remediation involves removal of the compromised extension. Enterprise administrators should audit managed devices for the presence of this extension and remove it to prevent adware and spyware activity.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://hackindex.io/research/modheader-malware-chrome-spyware"]
- Adversary
- null
- Pulse Id
- 6a55ed9b6b71e59faf2f8ea7
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://modheader.com/api/ad-settings | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainapi.stanfordstudies.com | — |
Threat ID: 6a56093968715ace4346c86f
Added to database: 07/14/2026, 10:02:33 UTC
Last enriched: 07/14/2026, 10:18:36 UTC
Last updated: 07/15/2026, 03:35:17 UTC
Views: 25
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.