Get A Quote
Legitimate Chrome VPN Extension Turns to Browser Spyware

Threat Report

LEGITIMATE CHROME VPN EXTENSION TURNS TO BROWSER SPYWARE A popular Chrome VPN extension with over 100,000 installs has transformed into spyware.

Threat Overview

A recently published threat report by AlienVault on August 19, 2025, reveals that a widely-used Chrome VPN extension named FreeVPN.One has been compromised and is now functioning as spyware. Initially considered legitimate, this extension began capturing screenshots of users’ online activities and collecting sensitive information following an update in April 2025. The spyware operates covertly by automatically taking screenshots of every webpage visited and uploading them to a domain controlled by the attackers. Additionally, it exfiltrates device and location data at installation and startup.

The extension’s developer provided evasive responses when confronted, claiming that the feature was intended for background scanning of suspicious domains. This incident underscores the potential risks associated with VPN services and emphasizes the importance of scrutinizing even seemingly trustworthy browser extensions.

Detailed Analysis

FreeVPN.One is a Chrome extension designed to provide secure browsing through a Virtual Private Network (VPN). With over 100,000 installs, it was initially trusted by many users for its purported security benefits. However, an update in April 2025 transformed this extension into spyware, capturing sensitive information without user consent.

The malware operates covertly by taking screenshots of every webpage visited and uploading them to a domain controlled by the attackers. This allows the attackers to monitor users’ online activities in real-time. Additionally, the spyware exfiltrates device and location data at installation and startup, providing the attackers with valuable information about the user’s environment.

The developer’s evasive responses when confronted suggest a deliberate attempt to conceal the true nature of the extension’s updates. The claim that the feature was for background scanning of suspicious domains is likely a cover story to avoid detection and maintain user trust.

Operational Security Measures

While the spyware operates covertly, its network communications are distinctive due to the regular uploads of screenshots and exfiltration of device data. This makes it easier for security tools to detect and analyze the malware’s traffic. Additionally, the use of a specific domain for uploading screenshots can be monitored and blocked by security solutions.

The reliance on a single domain for data exfiltration also presents an operational risk for the attackers. If this domain is identified and taken down, the spyware’s functionality will be significantly impaired.

Recommendations for Mitigation

Organizations and individual users can implement several measures to mitigate the threat posed by this compromised VPN extension:

  • Regular Updates: Keep all browser extensions up to date with the latest security patches. Regular updates help address known vulnerabilities that can be exploited by malware.
  • Extension Scrutiny: Be cautious when installing browser extensions, even those from reputable sources. Review permissions requested by the extension and scrutinize user reviews and ratings.
  • Network Monitoring: Deploy network monitoring tools to detect unusual data exfiltration patterns. This can help identify compromised extensions and prevent sensitive information from being uploaded to attacker-controlled domains.
  • Endpoint Protection: Implement endpoint protection solutions to detect and block malicious activities on individual devices. Endpoint protection can help prevent the initial infection and limit the spread of malware within the network.
  • Security Awareness Training: Provide regular security awareness training to employees to help them recognize and report potential security threats. This can include training on recognizing suspicious browser extensions and best practices for online security.
  • Regular Backups: Maintain regular backups of critical data to ensure that it can be restored in the event of a data breach or loss. Backups should be stored offline or in a separate network segment to prevent them from being compromised by malware.
  • Incident Response Plan: Develop and maintain an incident response plan to ensure that the organization can respond quickly and effectively to security incidents. The plan should include steps for containing the threat, investigating the incident, and restoring affected systems.

By implementing these measures, organizations and individual users can significantly reduce the risk of falling victim to this compromised VPN extension and other sophisticated malware threats.

External References

For additional information, please refer to the following external references:

Discover more from ESSGroup

Subscribe to get the latest posts sent to your email.

essadmin
20 Aug 2025
Comment 0
Categoty: 
  • CTI News
  • Report

    • Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    News & Blog

    Related Blog

    Lorem Ipsum is simply dummy text of the printing and typesetting
    industry. Lorem Ipsum has been the industry's

    Empowering communities through knowledge, collaboration, and open dialogue. Join us in making a difference!


    Programs

    Menu

    Usefull Links

    Menu

    Contact

    Copyright ©2024 ESSGroup. All Rights Reserved