Hidden Threats of Dual-Function Malware Found in Chrome Extensions
Essential information
- Published
- 21/05/2025 16:09
- Modified
- 21/05/2025 22:32
- Tags
- 2025-05-21 api endpoints chrome extensions code execution data theft lure websites traffic manipulation
- Related entities
- 100 observables, 16 techniques (mitre)
Description
An unknown threat actor has been creating malicious Chrome browser extensions since February 2024, using fake websites to lure users into installing them. These extensions have dual functionality, appearing to work as intended while also connecting to malicious servers to steal user data and execute arbitrary code. The extensions request excessive permissions and use various techniques to bypass security measures. They communicate with actor-controlled API domains, sending encrypted system information and receiving dynamic rules and code. The malicious activities include cookie theft, traffic manipulation, and potential account compromises. Over 100 fake websites and extensions have been deployed, exploiting current trends to attract users. The Chrome Web Store has removed some extensions, but the actor's persistence poses an ongoing threat to users seeking productivity tools and browser enhancements.