Reddit NetSec

AlienVault OTX General

CVE Database V5

Exploit-DB RSS Feed

Reddit InfoSec News

CIRCL OSINT Feed

ThreatFox MISP Feed

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

A campaign targeting the Google Chrome Web Store has deployed over 100 malicious browser extensions masquerading as legitimate tools like VPNs, AI assistants, and crypto utilities. These extensions, while offering some promised functionality, secretly connect to threat actor infrastructure to steal user information and execute remote scripts. They can modify network traffic, deliver ads, perform redirections, and act as proxies. The campaign, discovered by DomainTools researchers, involves numerous fake domains promoting these tools. The extensions request permissions that enable cookie theft, DOM-based phishing, and dynamic script injection. Risks include account hijacking, data theft, and browsing activity monitoring. Some extensions remain on the Chrome Web Store despite Google's removal efforts.

This threat involves a large-scale campaign targeting the Google Chrome Web Store, where over 100 malicious browser extensions have been identified masquerading as legitimate tools such as VPN services, AI assistants, crypto utilities, and even well-known brands like Fortinet and YouTube. These extensions are designed to deceive users by offering some promised functionality to appear legitimate, while covertly performing malicious activities. Once installed, the extensions request extensive permissions that allow them to intercept and modify network traffic, steal cookies, inject dynamic scripts, and perform DOM-based phishing attacks. This enables the threat actors to harvest sensitive user information, including authentication tokens, browsing activity, and potentially credentials, which can lead to account hijacking and further compromise. The extensions also have capabilities to deliver unwanted advertisements, redirect users to malicious or phishing sites, and act as proxies to obfuscate attacker infrastructure. Despite Google's ongoing efforts to detect and remove these extensions, some remain active on the Chrome Web Store, facilitated by the use of numerous fake domains promoting these tools to lure victims. The campaign leverages multiple attack techniques including remote script execution (T1059.007), user execution (T1204.002), command and control over web protocols (T1071), and credential access via input capture and cookie theft (T1056, T1189). The threat is notable for its scale, persistence, and the exploitation of trusted platforms and brands to increase user trust and installation rates.

Detailed information about Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs. Get real-time updates, technical details, and mitigation strateg

Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs - Live Threat Intelligence - Threat Radar | OffSeq.com

Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs

An unknown threat actor has been creating malicious Chrome browser extensions since February 2024, using fake websites to lure users into installing them. These extensions have dual functionality, appearing to work as intended while also connecting to malicious servers to steal user data and execute arbitrary code. The extensions request excessive permissions and use various techniques to bypass security measures. They communicate with actor-controlled API domains, sending encrypted system information and receiving dynamic rules and code. The malicious activities include cookie theft, traffic manipulation, and potential account compromises. Over 100 fake websites and extensions have been deployed, exploiting current trends to attract users. The Chrome Web Store has removed some extensions, but the actor's persistence poses an ongoing threat to users seeking productivity tools and browser enhancements.

Since February 2024, an unknown threat actor has been deploying a widespread campaign involving malicious Chrome browser extensions distributed via over 100 fake websites. These extensions exhibit dual-functionality: they provide legitimate or seemingly useful browser features to avoid suspicion while simultaneously performing covert malicious activities. Upon installation, the extensions request excessive permissions that enable them to access sensitive browser data and system information. They establish encrypted communications with attacker-controlled API endpoints to exfiltrate data and receive dynamic commands and code updates, allowing the malware to adapt and evade detection. The malicious capabilities include stealing cookies, which can lead to session hijacking and account compromises, manipulating web traffic to alter user interactions or inject malicious content, and executing arbitrary code within the browser context. The extensions employ various evasion techniques to bypass Chrome’s security mechanisms and detection by security tools. Despite some removals by the Chrome Web Store, the actor remains persistent, continuously creating new fake websites and extensions that exploit trending topics to lure users seeking productivity tools or browser enhancements. This campaign leverages a broad range of tactics, techniques, and procedures (TTPs) including credential access, system information discovery, command and control communication, and code injection, as indicated by the referenced MITRE ATT&CK techniques (e.g., T1113, T1033, T1114, T1119, T1082, T1071, T1176, T1140, T1555, T1185, T1016, T1059, T1083, T1102, T1573, T1056, T1012, T1132, T1189, T1124). The campaign’s sophistication and persistence pose a significant threat to users and organizations relying on Chrome extensions for daily operations.

Detailed information about Hidden Threats of Dual-Function Malware Found in Chrome Extensions. Get real-time updates, technical details, and mitigation strategi

Title	Severity	Type	Source	Date

Threats Tagged 'chrome extensions'

Filter Threats

Threats Tagged 'chrome extensions'

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility