216.73.216.133

Legitimate Chrome VPN Extension Turns to Browser Spyware

· Published 19/08/2025 17:08 · Modified 19/08/2025 21:22

Export JSON

Essential information

Published
19/08/2025 17:08
Modified
19/08/2025 21:22
Tags
2025-08-19 browser security chrome extension data exfiltration freevpn.one google web store screenshot capture spyware user privacy vpn
Related entities
3 observables, 8 techniques (mitre), 1 malware

Description

A popular Chrome extension, , with over 100,000 installs has transformed into . Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The operates covertly, automatically taking screenshots of every webpage visited and uploading them to an attacker-controlled domain. It also exfiltrates device and location data at installation and startup. The extension's developer provided evasive responses when confronted, claiming the feature was for background scanning of suspicious domains. This incident highlights the potential risks associated with services and the importance of scrutinizing even seemingly trustworthy browser extensions.

External references