Cybersecurity firm Socket has uncovered a large-scale malicious campaign involving 108 Google Chrome extensions that are actively harvesting user data and enabling browser-level abuse. The extensions, which collectively have around 20,000 installs on the Chrome Web Store, communicate with a shared command-and-control (C2) infrastructure designed to exfiltrate sensitive information and manipulate web activity.
The campaign spans five publisher identities – Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt – indicating a coordinated effort to distribute seemingly legitimate browser tools while operating under a unified backend. Despite presenting themselves as useful applications, all identified extensions route stolen credentials, user identities, and browsing data to attacker-controlled servers.
A significant portion of the extensions is engineered to target Google account data, with dozens leveraging OAuth2 mechanisms to extract user identity details such as email addresses, profile information, and account identifiers. Others are equipped with a universal backdoor capability, enabling them to open arbitrary URLs upon browser startup and execute unauthorized actions without user consent.
The malicious functionality extends further, with several extensions capable of exfiltrating Telegram Web session data at frequent intervals, effectively allowing attackers to hijack active sessions. In addition, some extensions manipulate security protections on platforms like YouTube and TikTok by stripping critical headers and injecting unauthorized scripts, overlays, and advertisements.
To maintain persistence and broaden their reach, the extensions inject content scripts into every webpage visited by the user, creating continuous opportunities for data collection and exploitation. Certain tools also reroute translation requests through attacker-controlled servers, adding another layer of surveillance and data interception.
These extensions are disguised as a wide range of applications, including Telegram clients, gaming tools such as slot and racing games, social media enhancers, and translation utilities. This diversity in appearance enables threat actors to target a broad user base while maintaining a consistent malicious infrastructure behind the scenes.
Among the notable examples, Telegram-themed extensions are designed to extract authentication tokens and manipulate session data, potentially allowing attackers to replace a victim’s active session with their own. Similarly, gaming-related extensions have been observed capturing Google account information during user sign-in attempts.
Socket confirmed that all 108 extensions rely on the same backend server, highlighting the scale and coordination of the operation. The infrastructure enables centralized control, data aggregation, and execution of malicious commands across all infected browsers.
The identity of the threat actors remains unknown, although traces within the source code suggest possible links to Russian-language development. Regardless of attribution, the campaign underscores the growing risks associated with browser extensions and the increasing sophistication of supply chain-style attacks within web ecosystems.
Users who have installed any of the identified extensions are strongly advised to remove them immediately and secure their accounts. This includes logging out of all active Telegram Web sessions via the mobile app and reviewing account permissions to prevent further unauthorized access.
Recommended Cyber Technology News :
- Datacom Reveals Cyber Recovery Gaps in New Zealand Firms
- Commvault Unveils AI Tools to Strengthen Enterprise Data Security
- NYK Data Breach Hits Bunker Fuel Procurement System
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
