216.73.217.172

Hidden Threats of Dual-Function Malware Found in Chrome Extensions

· Published 21/05/2025 16:09 · Modified 21/05/2025 22:32

Export JSON

Essential information

Published
21/05/2025 16:09
Modified
21/05/2025 22:32
Tags
2025-05-21 api endpoints chrome extensions code execution data theft lure websites traffic manipulation
Related entities
100 observables, 16 techniques (mitre)

Description

An unknown threat actor has been creating malicious Chrome browser extensions since February 2024, using fake websites to lure users into installing them. These extensions have dual functionality, appearing to work as intended while also connecting to malicious servers to steal user data and execute arbitrary code. The extensions request excessive permissions and use various techniques to bypass security measures. They communicate with actor-controlled API domains, sending encrypted system information and receiving dynamic rules and code. The malicious activities include cookie theft, , and potential account compromises. Over 100 fake websites and extensions have been deployed, exploiting current trends to attract users. The Chrome Web Store has removed some extensions, but the actor's persistence poses an ongoing threat to users seeking productivity tools and browser enhancements.

External references