More than 100 dual-function Chrome extensions hijack sessions and steal user credentials

📟 News

Date: 22/05/2025

According to DomainTools Intelligence (DTI), more than 100 malicious Chrome browser extensions disguised as VPN services, AI assistants, crypto utilities, etc. are used to steal cookies and covertly execute remote scripts.

Unknown cybercriminals have been have been distributing malicious extensions since February 2024.

” The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS),” – DTI.

Some of the identified malicious websites impersonate legitimate products and services, including DeepSeek, Manus, DeBank, FortiVPN, YouTube, and Site Stats. After the installation, dual-function extensions start collecting cookies from the browser, retrieving arbitrary scripts from remote servers, and establishing WebSocket connections in order to proxy and route traffic.

Rogue website
Rogue website

The extensions appear to have working or partially working functionality; however, they also steal credentials and cookies, hijack sessions, inject ads into the browser, create malicious redirects, manipulate traffic, and perform phishing by manipulating document object models (DOMs).

In addition, the malicious extensions attempt to grant themselves excessive permissions in the manifest.json file to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor-controlled domains.

To bypass CSP (Content Security Policy) and execute malicious code, the extensions use the onreset event handler in the DOM.

It’s still unclear how victims are lured to the rogue websites, but DTI researchers suppose that common methods are used for this purpose, including phishing and social media posts.

Cybercriminals behind this malicious campaign remain unknown; however, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification.

The complete list of malicious domains advertising dual-function extensions is available in the DomainTools repository on GitHub. It includes inter alia:

  • earthvpn[.]top;
  • irontunnel[.]world и iron-tunnel[.]com;
  • raccoon-vpn[.]world;
  • orchid-vpn[.]com;
  • soul-vpn[.]com;
  • forti-vpn[.]com и fortivnp[.]com;
  • debank-extension[.]world и debank[.]sbs, debank[.]click;
  • youtube-vision[.]com и youtube-vision[.]world;
  • deepseek-ai[.]link;
  • calendlydaily[.]world, calendlydocker[.]com, calendly-director[.]com;
  • whale-alerts[.]org и whale-alert[.]life;
  • madgicxads[.]world и madgicx-plus[.]com;
  • similar-net[.]com;
  • workfront-plus[.]com; and 
  • flight-radar[.]life.
Related posts:
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched

Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…

Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider

Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…

Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage

According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…

Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks

Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.01.23 — Fake Telegram CAPTCHA forces users to run malicious PowerShell scripts

Hackers used the news of Ross Ulbricht pardoning to lure users to a rogue Telegram channel where they are tricked into running malicious PowerShell code. This…

Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework

According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…

Full article →
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers

Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →