A massive and ongoing campaign involving over 100 malicious Chrome extensions has been uncovered, with threat actors deploying browser add-ons disguised as free AI tools, VPN services, crypto utilities, and SEO optimizers to infiltrate user systems. The malicious Chrome extensions, still active on the Chrome Web Store (CWS) at the time of reporting, function as surveillance and command platforms capable of stealing access tokens, exfiltrating cookies, and executing remote code.
According to a report by DomainTools, the campaign demonstrates sophisticated evasion tactics and long-term operational planning. The extensions appear to operate as intended—offering basic services like AI queries or VPN access—while secretly connecting to attacker-controlled servers to send telemetry, receive commands, and perform malicious actions.
Among the fake extensions identified are:
- Deepseek AI
- DeBank
- Manus AI
- Eart VPN
- Eelephant
- Forti VPN
- SiteStats
Each extension was linked to a network of malicious backend servers, many using the .top top-level domain, and shared nearly identical code structures and server infrastructures.
“These extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, and phishing,”
— DomainTools researchers
The attack chain typically begins with a lure website, pretending to be a legitimate productivity or crypto tool. Victims are redirected to the Chrome Web Store to install the associated malicious extension. Once installed, the extension silently connects to an attacker’s API server, often using JWT authentication and SHA-256 signatures, to pull executable code and network rules for injection into websites visited by the user.
One example, the Forti VPN extension, delivered partial VPN functionality using a hardcoded API key to a third-party service, while its real purpose was to establish WebSocket connections, exfiltrate cookies, and act as a proxy for malicious traffic routing.
The campaign also bypasses Google’s defenses and Manifest Version 3 (MV3) limitations. While MV3 is supposed to prevent remotely hosted code, these malicious extensions fetch “declarativeNetRequest” rules from a remote server, allowing dynamic modification of network requests after approval by the Chrome Web Store—an effective evasion technique.
The extensions are often configured with excessive permissions to monitor all visited sites, capture cookies, and execute arbitrary code. These permissions make them highly effective at browser-based credential theft, DOM manipulation phishing, ad fraud, and malicious redirections.
Cybersecurity researchers also observed consistent infrastructure patterns behind the campaign, including:
- Domain registration via NameSilo
- Hosting via Cloudflare
- SSL issuance by WE1
- Embedded Facebook Tracker IDs
Some of the extensions used background.js and content scripts to collect detailed system information, such as memory, language, platform, IP, and timezone. This information was encrypted and transmitted to the attacker for tailoring further payloads.
Though Google has removed some of the reported malicious extensions, many remain live, and new ones continue to be added. Researchers warn that the lag in detection and takedown creates a dangerous window for exploitation.
“The actor’s persistence and time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements,”
— DomainTools report
The attack underscores how even trusted platforms like the Chrome Web Store can become conduits for widespread malware distribution, especially when combined with social engineering and deceptive marketing.
Security recommendations include:
- Installing only from verified and reputable developers
- Carefully reviewing extension permissions
- Avoiding unfamiliar or lookalike browser tools
- Using endpoint protection and antivirus software for behavioral detection
With browser extension threats becoming more advanced and persistent, organizations and individuals must treat Chrome extension malware as a serious vector for data exfiltration, session hijacking, and account compromise.
