{ "name": "108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure", "slug": "108-chrome-extensions-linked-to-data-exfiltration-and-session-theft-via-shared-c2-infrastructure", "description": "A coordinated campaign of 108 malicious Chrome extensions operated through shared command-and-control infrastructure at cloudapi[.]stream has been identified, collectively accounting for approximately 20,000 installations. The campaign spans multiple threat categories: 54 extensions steal Google account identities via OAuth2, one extension actively exfiltrates Telegram Web sessions every 15 seconds, and 45 extensions contain a universal backdoor enabling arbitrary URL execution on browser startup. Published under five distinct publisher identities (Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), these extensions masquerade as legitimate tools including Telegram sidebar clients, slot games, YouTube and TikTok enhancers, and translation utilities. All extensions route stolen credentials, user identities, and browsing data to servers controlled by the same operator, with infrastructure confirming a Malware-as-a-Service business model.", "published": "2026-04-14T15:38:11.151000+00:00", "created_at": "2026-04-14T15:50:42.579000+00:00", "modified_at": "2026-04-14T13:50:42+00:00", "created_at_opencti": "2026-04-14T15:50:42.579000+00:00", "author": "AlienVault", "confidence": 100, "report_types": [ "threat-report" ], "labels": [ "browser backdoor", "chrome extensions", "google identity theft", "session hijacking" ], "tags": [ "2026-04-14", "browser backdoor", "chrome extensions", "google identity theft", "session hijacking" ], "related_entities": { "indicators": [ { "id": "39fe6752-5777-4c19-9749-12451093a853", "name": "goldminer.cloudapi.stream" }, { "id": "bbde632f-9cca-4224-8904-939098c2d945", "name": "http://tg.cloudapi.stream/delete_session.php" }, { "id": "7df20ca7-cf22-46a5-93eb-e558f21e07df", "name": "coin-miner.cloudapi.stream" }, { "id": "47ff0d79-d6ab-42e3-9596-5b9229222965", "name": "http://api.cloudapi.stream:8443/Translation" }, { "id": "5811a8fe-341d-4290-8c02-08bd43c65d17", "name": "http://tg.cloudapi.stream/save_title.php" }, { "id": "1cb46b91-b5e4-4b16-9502-44469499ce7f", "name": "http://top.rodeo/notify.php" }, { "id": "56804b54-c783-4e5a-9103-f53a7b53fa86", "name": "144.126.135.238" }, { "id": "3d7243f7-473a-4f3d-8f60-0394a26ad03f", "name": "herculessportslegend.cloudapi.stream" }, { "id": "211e7130-d30c-4c95-934d-bd459b6f7775", "name": "multiaccount.cloudapi.stream" }, { "id": "41dd84f3-01ca-417f-9065-7bb5d6af9a20", "name": "profile.name" }, { "id": "41f26976-4511-4446-8cea-243c1d0b1c23", "name": "support@top.rodeo" }, { "id": "fd9f73ea-ba0c-4f77-893c-71fa673b216e", "name": "metal.cloudapi.stream" }, { "id": "affa69f1-e72c-47ae-9fcd-57495909b1fc", "name": "http://top.rodeo/server/remote3.php" }, { "id": "8ee02ae4-0c93-40ff-ae32-70effa8fcfec", "name": "nashprom.info" }, { "id": "6965eae9-519d-4834-9b96-be395ee75cda", "name": "http://mines.cloudapi.stream/auth_google" }, { "id": "881b96cb-2e3f-42b9-8bb5-8f173dfdf071", "name": "api.cloudapi.stream" }, { "id": "0efe040d-900c-44d0-a297-4448ec8e2f53", "name": "http://mines.cloudapi.stream/slot_test/" }, { "id": "c1e0aa8a-6cb0-4b86-8082-a278e733fcdb", "name": "http://tg.cloudapi.stream/count_sessions.php" }, { "id": "d37ac1aa-0857-492c-a1cb-d10cf91f5b61", "name": "http://mines.cloudapi.stream/user_info" }, { "id": "04d9372a-e98f-4723-b28f-4cbf252eeb1f", "name": "http://top.rodeo/server/remote.php" }, { "id": "1d17b40a-5741-4ecc-9a9a-5374bab8f711", "name": "cdn.cloudapi.stream" }, { "id": "67877f1f-4364-4f2f-b16c-aef9ced65bcf", "name": "http://tg.cloudapi.stream/get_sessions.php" }, { "id": "9dad587b-2bbd-4a53-bb36-1126e8320af7", "name": "http://tg.cloudapi.stream/save_session.php" }, { "id": "996e73e2-7fb8-4088-bd83-ae82249855d1", "name": "chat.cloudapi.stream" }, { "id": "f66ce0f0-ce90-4a41-bfb5-ccde9ce5cf18", "name": "topup.cloudapi.stream" }, { "id": "1ce625e1-19b2-4cc1-9ed7-3944c334c02b", "name": "cloudapi.stream" }, { "id": "79467700-1864-49f1-8062-2ce1b79de568", "name": "http://cloudapi.stream/install/" }, { "id": "0dad1fe5-9761-49f8-87c0-a5ab288de24b", "name": "interalt.net" }, { "id": "1d2508d3-2c0f-4312-a686-c9059578ffc6", "name": "chrome.runtime.id" }, { "id": "7ef4be86-f7aa-49e9-9872-7dde9e700c02", "name": "crm.cloudapi.stream" }, { "id": "140e23ee-9e37-4b9e-bb25-e071805f26b1", "name": "gamewss.cloudapi.stream" }, { "id": "36566a11-8aae-4014-a29f-5beaa81a007a", "name": "mines.cloudapi.stream" }, { "id": "927c662f-3457-4e1e-ae78-52a537e8eb46", "name": "message.data" }, { "id": "5cbc9f34-96de-4e5a-b79b-07f8ea1f6742", "name": "http://tg.cloudapi.stream/get_session.php" }, { "id": "a7491e08-abd3-4ac0-86b6-552acc05eb80", "name": "http://api.cloudapi.stream:8443/Register" }, { "id": "52f9edbc-eb4e-4206-a3bb-baee67b333c9", "name": "webuk.tech" }, { "id": "95b1d5c5-3724-43a4-bc0e-52f12546e892", "name": "wheel.cloudapi.stream" }, { "id": "4fefb908-abda-4323-8f33-ac0bdec0eeb3", "name": "tg.cloudapi.stream" }, { "id": "d86119bf-a256-4094-9014-b0c19aa9222e", "name": "profile.email" }, { "id": "6c09aa95-41b3-40b0-92f7-202819047a3b", "name": "http://cloudapi.stream/uninstall/" } ], "attack_patterns": [ { "id": "8c79f5d6-60f2-4b5c-9b44-3e00ce9294d0", "name": "T1074.001" }, { "id": "5c67e5d2-bc85-4ce0-822d-f2f5d3b0ae4e", "name": "T1185" }, { "id": "7e3e3784-9547-42ca-b888-482972d14be3", "name": "T1528" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2", "name": "T1059.007" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "d9b45b3b-d093-4016-89e9-48f31ff4d05d", "name": "T1566" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "743d2e0c-e5d5-4ccb-a6bd-0035c4e88c37", "name": "T1176" }, { "id": "97d377d8-89c7-48f8-a79f-0f48bd60df74", "name": "T1005" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "b7c6c1ad-f183-4128-8427-3891029c73dc", "name": "T1539" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "232fbdfa-94c6-443d-b575-373e75b4f4c2", "name": "T1567" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "fa3b8b48-d97c-4242-83a6-07d435a5a79e", "name": "T1041" } ], "observables": [ { "id": "312d8e40-0bec-4865-8d3f-5c09972b3bcb", "name": "interalt.net" }, { "id": "ca1c6d45-bbf8-444b-8f67-1536d1ffbfa9", "name": "profile.email" }, { "id": "d8c57052-641d-41f5-ac15-fe1489a5287d", "name": "cloudapi.stream" }, { "id": "00e34331-fe67-4e24-94c2-d9c1f5f40992", "name": "nashprom.info" }, { "id": "e6491271-5309-4314-8c4b-d68c2dbcb4e7", "name": "message.data" }, { "id": "2e8e34bb-01de-46d1-a351-2d8019e16abe", "name": "webuk.tech" }, { "id": "1fe78309-79d0-4c43-b185-7cc1b158f484", "name": "profile.name" }, { "id": "5e456c89-2acb-46f6-8c55-2a6326a22636", "name": "support@top.rodeo" }, { "id": "c383ffd4-9f6b-45ed-8831-149bca1a89b2", "name": "chat.cloudapi.stream" }, { "id": "6a88c411-6ddf-4e1a-a757-0134e3a39ee5", "name": "wheel.cloudapi.stream" }, { "id": "135b8223-929e-48b2-a595-d108db138d7d", "name": "gamewss.cloudapi.stream" }, { "id": "8499e97a-c881-4a15-a09f-5cace67f6315", "name": "coin-miner.cloudapi.stream" }, { "id": "dd6174d0-85d1-428f-89dc-f536692776aa", "name": "herculessportslegend.cloudapi.stream" }, { "id": "12051d0a-152a-4894-97bf-ce20dfff656f", "name": "mines.cloudapi.stream" }, { "id": "d5483602-d351-409f-a4f5-9ccb3ba8607a", "name": "metal.cloudapi.stream" }, { "id": "85a8733b-77b1-4c39-acf3-3b728c8a3a07", "name": "cdn.cloudapi.stream" }, { "id": "b5afc8e7-a69b-41fc-95e0-a7b2845223bf", "name": "multiaccount.cloudapi.stream" }, { "id": "fafaf491-252a-4788-898b-ac2b82556c06", "name": "goldminer.cloudapi.stream" }, { "id": "555f9aed-e364-49ef-acff-45d20273f96d", "name": "tg.cloudapi.stream" }, { "id": "7994026e-0167-4b72-bf46-a16b503e5f04", "name": "api.cloudapi.stream" }, { "id": "4a7b3cf4-c2ba-4db8-b78e-8ecad80b604b", "name": "chrome.runtime.id" }, { "id": "1e0cfdb6-a22e-4b10-b2ec-ff2a5baa16dc", "name": "crm.cloudapi.stream" }, { "id": "c3fbc2cd-0d77-4b1c-8f29-1304fb7c833f", "name": "topup.cloudapi.stream" }, { "id": "7011fc94-e4fd-422e-aaba-eda641470502", "name": "144.126.135.238" }, { "id": "a2c2fb9f-0255-4313-8bef-79c859be187c", "name": "http://mines.cloudapi.stream/slot_test/" }, { "id": "be9bf3b9-06b1-4bfe-8d31-63a52e35b66b", "name": "http://top.rodeo/server/remote.php" }, { "id": "dc857b0e-565d-471e-a942-c557bd173ed4", "name": "http://tg.cloudapi.stream/delete_session.php" }, { "id": "db422261-1014-4f55-9e57-fa3f4af43340", "name": "http://tg.cloudapi.stream/get_sessions.php" }, { "id": "57ef6211-e175-43ce-8f79-af819d083637", "name": "http://mines.cloudapi.stream/user_info" }, { "id": "f21eeddf-fc60-4806-9394-e9283378a06c", "name": "http://api.cloudapi.stream:8443/Register" }, { "id": "6b9630b8-a3ff-4c3b-84d5-de9b7d28ec3f", "name": "http://mines.cloudapi.stream/auth_google" }, { "id": "3d8fa43c-897f-4aed-8644-f7062c72f55c", "name": "http://api.cloudapi.stream:8443/Translation" }, { "id": "a83631fd-434e-4449-8fd6-93b899840b79", "name": "http://top.rodeo/server/remote3.php" }, { "id": "2ca732ae-8675-4148-b958-6a6c78859754", "name": "http://tg.cloudapi.stream/save_title.php" }, { "id": "b3bc9f1d-ff52-46ba-845e-e40b470ea45b", "name": "http://tg.cloudapi.stream/count_sessions.php" }, { "id": "d1e6eebe-022b-45dd-930d-47e1c9962f63", "name": "http://cloudapi.stream/uninstall/" }, { "id": "69a0e12a-edfb-4c74-bf3f-27256dfd1b78", "name": "http://top.rodeo/notify.php" }, { "id": "ad15b03d-26b6-4e46-b722-9c0e1261cd89", "name": "http://tg.cloudapi.stream/save_session.php" }, { "id": "cbf237cf-66e3-4f92-9e3d-552897def1b8", "name": "http://tg.cloudapi.stream/get_session.php" }, { "id": "875e8956-bf27-4f58-807c-4cf4682c1663", "name": "http://cloudapi.stream/install/" } ], "others": [ { "id": "", "name": "goldminer.cloudapi.stream" }, { "id": "", "name": "coin-miner.cloudapi.stream" }, { "id": "", "name": "herculessportslegend.cloudapi.stream" }, { "id": "", "name": "multiaccount.cloudapi.stream" }, { "id": "", "name": "profile.name" }, { "id": "", "name": "metal.cloudapi.stream" }, { "id": "", "name": "nashprom.info" }, { "id": "", "name": "api.cloudapi.stream" }, { "id": "", "name": "cdn.cloudapi.stream" }, { "id": "", "name": "chat.cloudapi.stream" }, { "id": "", "name": "topup.cloudapi.stream" }, { "id": "", "name": "cloudapi.stream" }, { "id": "", "name": "interalt.net" }, { "id": "", "name": "chrome.runtime.id" }, { "id": "", "name": "crm.cloudapi.stream" }, { "id": "", "name": "gamewss.cloudapi.stream" }, { "id": "", "name": "mines.cloudapi.stream" }, { "id": "", "name": "message.data" }, { "id": "", "name": "webuk.tech" }, { "id": "", "name": "wheel.cloudapi.stream" }, { "id": "", "name": "tg.cloudapi.stream" }, { "id": "", "name": "profile.email" } ] }, "external_refs": [ { "id": "ed0cdd98-6aa2-4198-8d9d-af4122855db8", "standard_id": "external-reference--ab4af529-743c-58d5-b74d-c38a375cc73d", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2", "hash": null, "external_id": null, "created": "2026-04-14T15:50:42.526Z", "modified": "2026-04-14T15:50:42.526Z", "createdById": null }, { "id": "5ee72ab6-6262-4cf5-ae92-fea3e31bc3c0", "standard_id": "external-reference--deed40e0-59cd-5cbb-b66e-9108c2f8bee3", "entity_type": "External-Reference", "source_name": "AlienVault", "description": null, "url": "https://otx.alienvault.com/pulse/69de5f631a2f4bca81392ccd", "hash": null, "external_id": "69de5f631a2f4bca81392ccd", "created": "2026-04-14T15:50:42.504Z", "modified": "2026-04-14T15:50:42.504Z", "createdById": null } ] }