More than 100 dual-function Chrome extensions hijack sessions and steal user credentials

📟 News

Date: 22/05/2025

According to DomainTools Intelligence (DTI), more than 100 malicious Chrome browser extensions disguised as VPN services, AI assistants, crypto utilities, etc. are used to steal cookies and covertly execute remote scripts.

Unknown cybercriminals have been have been distributing malicious extensions since February 2024.

” The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS),” – DTI.

Some of the identified malicious websites impersonate legitimate products and services, including DeepSeek, Manus, DeBank, FortiVPN, YouTube, and Site Stats. After the installation, dual-function extensions start collecting cookies from the browser, retrieving arbitrary scripts from remote servers, and establishing WebSocket connections in order to proxy and route traffic.

Rogue website
Rogue website

The extensions appear to have working or partially working functionality; however, they also steal credentials and cookies, hijack sessions, inject ads into the browser, create malicious redirects, manipulate traffic, and perform phishing by manipulating document object models (DOMs).

In addition, the malicious extensions attempt to grant themselves excessive permissions in the manifest.json file to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor-controlled domains.

To bypass CSP (Content Security Policy) and execute malicious code, the extensions use the onreset event handler in the DOM.

It’s still unclear how victims are lured to the rogue websites, but DTI researchers suppose that common methods are used for this purpose, including phishing and social media posts.

Cybercriminals behind this malicious campaign remain unknown; however, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification.

The complete list of malicious domains advertising dual-function extensions is available in the DomainTools repository on GitHub. It includes inter alia:

  • earthvpn[.]top;
  • irontunnel[.]world и iron-tunnel[.]com;
  • raccoon-vpn[.]world;
  • orchid-vpn[.]com;
  • soul-vpn[.]com;
  • forti-vpn[.]com и fortivnp[.]com;
  • debank-extension[.]world и debank[.]sbs, debank[.]click;
  • youtube-vision[.]com и youtube-vision[.]world;
  • deepseek-ai[.]link;
  • calendlydaily[.]world, calendlydocker[.]com, calendly-director[.]com;
  • whale-alerts[.]org и whale-alert[.]life;
  • madgicxads[.]world и madgicx-plus[.]com;
  • similar-net[.]com;
  • workfront-plus[.]com; and 
  • flight-radar[.]life.
Related posts:
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management

Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.04.16 — Android devices will restart every three days to protect user data

Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…

Full article →
2025.02.01 — Critical RCE vulnerability fixed in Cacti

A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…

Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store

According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…

Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks

Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…

Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…

Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates

The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…

Full article →