Since February 2024, an unidentified threat actor has been linked to the creation of various malicious Chrome extensions that seem harmless but actually perform harmful functions such as data exfiltration, arbitrary code execution, and credential theft. These extensions, which utilize excessive permissions to interact with browser sites and execute remote code, often originate from deceptive websites mimicking legitimate services. While details on the victim acquisition process remain unclear, social media and phishing are suspected methods, amplifying the risk associated with these addons.
The browser add-ons appear to offer the advertised features, they also enable credential and cookie theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation.
The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, crypto, banking and more to direct users to install corresponding malicious extensions.
Collection
[
|
...
]