Chrome Extensions Campaign Causes Data Theft and Session Hijacking

Executive Summary

On 2026-04-14 a coordinated campaign of 108 malicious Chrome extensions was uncovered by AlienVault. The extensions, published under five different developer names, share a single command‑and‑control (C2) infrastructure that harvests Google identities, steals Telegram Web sessions, and installs a universal backdoor on user browsers. The operation is evidence of a mature Malware‑as‑a‑Service (MaaS) model and demonstrates how seemingly benign extensions can become powerful attack vectors.

Malware Landscape

Collected data shows the campaign spans multiple threat categories:

  • 54 extensions steal Google account identities via OAuth2.
  • 1 extension exfiltrates Telegram Web sessions every 15 seconds.
  • 45 extensions embed a universal backdoor that opens arbitrary URLs on every browser startup.
  • Additional extensions strip security headers, inject ads, and proxy translation requests.

All traffic is routed through the shared C2 host , with subdomains such as and handling session and identity exfiltration respectively.

Technical Tactics

Google Identity Harvesting

Extensions use chrome.identity.getAuthToken to obtain a bearer token, then fetch https://hxxps://www.googleapis.com/oauth2/v3/userinfo and POST only the user’s email, name, picture, and stable sub field to . No credentials are transmitted; the attacker merely gains a persistent identity record.

Telegram Session Theft

The flagship extension obifanppcpchlehkjipahhphbcbjekfa injects a content script into https://web.telegram.org/* that serializes localStorage to capture the user_auth token. Every 15 seconds the token is POSTed to . The attacker can also push a replacement session, effectively hijacking the victim’s Telegram account.

Universal Backdoor – loadInfo()

Forty‑five extensions contain a background function that POSTs chrome.runtime.id to . The server can return an infoURL which the extension then opens in a new tab. This covert channel allows the operator to launch phishing or malware payloads without user interaction.

Security Header Bypass

Five extensions use declarativeNetRequest to strip Content‑Security‑Policy and X-Frame‑Options from target sites such as web.telegram.org, youtube.com, and tiktok.com. This enables the injection of malicious content and circumvents browser security mechanisms.

Infrastructure and Attribution

The C2 is hosted on a Contabo VPS at with a Strapi CMS on port 1337 and PostgreSQL on 5432. The domain was registered 2022-04-30 by Hosting Ukraine LLC. All extensions share two Google Cloud project IDs (1096126762051 and 170835003632), demonstrating a single operator controlling five developer accounts.

Impact Assessment

Approximately 20,000 Chrome Web Store installs are reported, with 3,035 installs for the Telegram extension alone. Victims of the identity harvest have their email and Google sub exposed; Telegram victims have session hijackability. The universal backdoor provides persistence across browser restarts, enabling long‑term compromise.

Recommendations for Security Teams

  1. Block all cloudapi[.]stream subdomains and the IP at the network perimeter.
  2. Detect and remove extensions with identity permission and known OAuth client IDs.
  3. Scan installed extensions for the loadInfo() pattern (POST to user_info and chrome.tabs.create).
  4. Monitor for declarativeNetRequest rules that strip CSP headers.
  5. Educate users to review permissions and revoke third‑party OAuth access via .
  6. Use Chrome Web Store policy enforcement to flag extensions that violate privacy, ads, and data handling rules.

Conclusion

The 108‑extension campaign illustrates how a single malicious infrastructure can weaponize a wide array of seemingly legitimate tools. By combining identity theft, session hijacking, and a persistent backdoor, attackers can maintain long‑term access to victim accounts across multiple services. Prompt removal, network blocking, and user education are essential to mitigate the threat.

Leave a Reply

Looking for the Best Cyber Security?

Seamlessly integrate local and cloud resources with our comprehensive cybersecurity services. Protect user traffic at endpoints using advanced security solutions like threat hunting and endpoint protection. Build a scalable network infrastructure with continuous monitoring, incident response, and compliance assessments.

Contact Us

Copyright © 2025 ESSGroup

Discover more from ESSGroup

Subscribe now to keep reading and get access to the full archive.

Continue reading