216.73.217.22

108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

· Published 14/04/2026 17:38 · Modified 14/04/2026 15:50

Export JSON

Essential information

Published
14/04/2026 17:38
Modified
14/04/2026 15:50
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser backdoor chrome extensions google identity theft session hijacking
Tags
2026-04-14 browser backdoor chrome extensions google identity theft session hijacking
Related entities
40 indicators, 40 observables, 20 techniques (mitre), 22 others

Description

A coordinated campaign of 108 malicious operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Indicators (40)

Observables (40)

  • interalt.net
  • profile.email
  • cloudapi.stream
  • nashprom.info
  • message.data
  • webuk.tech
  • profile.name
  • [email protected]
  • chat.cloudapi.stream
  • wheel.cloudapi.stream
  • gamewss.cloudapi.stream
  • coin-miner.cloudapi.stream
  • herculessportslegend.cloudapi.stream
  • mines.cloudapi.stream
  • metal.cloudapi.stream
  • cdn.cloudapi.stream
  • multiaccount.cloudapi.stream
  • goldminer.cloudapi.stream
  • tg.cloudapi.stream
  • api.cloudapi.stream
  • chrome.runtime.id
  • crm.cloudapi.stream
  • topup.cloudapi.stream
  • 144.126.135.238
  • http://mines.cloudapi.stream/slot_test/
  • http://top.rodeo/server/remote.php
  • http://tg.cloudapi.stream/delete_session.php
  • http://tg.cloudapi.stream/get_sessions.php
  • http://mines.cloudapi.stream/user_info
  • http://api.cloudapi.stream:8443/Register
  • http://mines.cloudapi.stream/auth_google
  • http://api.cloudapi.stream:8443/Translation
  • http://top.rodeo/server/remote3.php
  • http://tg.cloudapi.stream/save_title.php
  • http://tg.cloudapi.stream/count_sessions.php
  • http://cloudapi.stream/uninstall/
  • http://top.rodeo/notify.php
  • http://tg.cloudapi.stream/save_session.php
  • http://tg.cloudapi.stream/get_session.php
  • http://cloudapi.stream/install/

Techniques (MITRE) (20)

Others (22)

  • goldminer.cloudapi.stream
  • coin-miner.cloudapi.stream
  • herculessportslegend.cloudapi.stream
  • multiaccount.cloudapi.stream
  • profile.name
  • metal.cloudapi.stream
  • nashprom.info
  • api.cloudapi.stream
  • cdn.cloudapi.stream
  • chat.cloudapi.stream
  • topup.cloudapi.stream
  • cloudapi.stream
  • interalt.net
  • chrome.runtime.id
  • crm.cloudapi.stream
  • gamewss.cloudapi.stream
  • mines.cloudapi.stream
  • message.data
  • webuk.tech
  • wheel.cloudapi.stream
  • tg.cloudapi.stream
  • profile.email

External references