108 Chrome Extensions are secretly stealing your account – Are you on the list of victims?

Summary of the campaign

How did 108 independent Chrome extensions – from text translation apps to seemingly harmless minigames – bypass security censorship and silently manipulate over 20,000 browsers? In-depth analysis reveals that all these extensions are fronts, controlled by a single C2 server network operating under a Malware-as-a-Service (MaaS) model. This sophisticated campaign avoids damaging devices to evade detection; instead, it quietly acts like an undercover scout: permanently hijacking Google OAuth identities, periodically “gutting” Telegram Web login sessions every 15 seconds, and directly inserting a backdoor into the victim’s interface. The thought-provoking question for every organization is whether the translation tools or sidebars employees use daily are directly sending internal data to unknown servers. The urgent action now is to review extension installation logs and immediately block the controlling IP range to stop the chain of trust leaks.

145178c9 7799 4688 A2e2 Ed9247b700c6 1777948292

Detection and Scope of Impact

According to the initial analysis, exactly 108 extensions containing malware have been or are being distributed through the Chrome Web Store. Although carefully disguised and released under the names of five independent publishers, including Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt, all these extensions point to a single backend server system. The exploited extensions cover a wide range, targeting all consumer segments: Telegram chat tools in sidebar form, slot machine gambling software, modules for optimizing YouTube/TikTok resolution, multilingual translation tools, and traditional web display extensions. These malicious programs fully mimic the advertised functionality to deceive users, while the criminal modules…

The exploitation process

1d945823 A62b 4505 87bd 4d84026e3e5f 1777948384

Initial Access (T1189 – Drive-by Compromise)

Attackers trick victims into installing seemingly legitimate extensions from the official Chrome Web Store to establish a foothold for internal attacks.

Execution (T1059 – Command and Scripting Interpreter)

As soon as the browser starts, hidden scripts (e.g., loadInfo()) and background runtime are invoked to automatically execute data collection cycles using background installation permissions.

Credential Access (T1539 – Steal Web Session Cookie / T1552 – Unsecured Credentials)

Google Account: The extension sends a webhook to call Google’s OAuth2 API to request permanent profile data (subject ID, email, name).

Telegram Account: The malware actively queries the localStorage variable, periodically extracting the key containing the user_auth parameter of Telegram Web.

43a28e6c 98e6 48de B216 D4a4dd65e0b9 1777948449

Collection (T1114 – Email Collection/Info Theft)

Text translation tools capture all the victim’s language query strings due to their ability to read the text input frame, attach them to the X-Key parameter, and steal them. Every draft and secret message that needs to be copied for translation is recorded.

Command and Control (T1071.001 – Web Protocols)

All data is illicitly transferred via the TLS protocol directly to the subdomains of cloudapi[.]stream. The attacker maintains a strong C2 capable of sending custom HTML parameters, inserting a backdoor that forces the browser to load remote URL code without user intervention.

Command And Control (t1071.001 Web Protocols) 1777948661

Command And Control (t1071.001 Web Protocols) 1777948687

Detailed Technical Analysis

Steal Telegram session periodically

In the group of extensions masquerading as Telegram integration tools (like Telegram Multi-account), the malware injects the target content.js file into the domain https://web.telegram.org/\*. The function getSessionDataJson() scans and exhausts the localStorage area, extracting the web session authentication string and directly transferring it via chrome.runtime.sendMessage().

Steal Telegram Session Periodically 1777948726

The level of manipulation by the C2 reaches unpredictable heights with the webhook command set_session_changed. After intercepting the request, the server deletes the entire current localStorage and inserts a foreign token. This trick aims to force the victim out of their actual account and use the victim’s own browser to log in with a different malicious profile.

Exploiting Google OAuth2 Identification

Instead of attempting phishing for passwords, which carries a high risk of being blocked, 54 extensions in this campaign target Google identity at the infrastructure level. They use the function chrome.identity.getAuthToken to request tokens from users. Once successful, the data sent back to the C2 server includes the permanent sub identifier, along with the email and real name. Collecting the sub index helps the criminals’ CRM cross-reference and ensures they never lose track of the user, even if the victim changes their email later.

Exploiting Google Oauth2 Identification 1777948785

All Client IDs (about 56 IDs) configured for this purpose belong to only 2 Google Cloud projects: 1096126762051 and 170835003632. This fact alone dispels the facade of separation by the five different publisher names.

Universal Backdoor loadInfo()

A critical security vulnerability within internal networks lies in the backdoor feature loadInfo(), spread across at least 45 original background configuration files. When Chrome is about to launch, the malware connects to the C2 address. If the response returns a JSON parameter infoURL, the C2 forces the extension to secretly create a tab and immediately redirect the URL. Source analysis shows loadInfo() often uses a concise async/await technique in minified code format, indicating the insertion of external code rather than from a professional original code source.

Configuration Security Header

Instead of attacking webRequest, five extensions have exploited the declarativeNetRequest API (a feature of Manifest V3, known for being more stringent) to strip protection:

  • Remove the Content-Security-Policy and X-Frame-Options directives from the target website (TikTok, YouTube).
  • Force the Access-Control-Allow-Origin: * parameter.
  • Spoof the User-Agent.

When all barriers have collapsed, the malware uses unsafe DOM-injection with the innerHTML variable. This results in automatically injecting junk HTML code and slot machine ads directly into the user interfaces of YouTube and TikTok.

Command and Control (C2) server infrastructure

The backend sketch of the 108 malware network fully reveals the C2 infrastructure located at Contabo GmbH VPS, IP 144.126.135.238. The server architecture uses Strapi CMS with a PostgreSQL data core, organized by subdomain, following a standard Malware-as-a-Service ecosystem.

  • tg[.]cloudapi[.]stream: Module exfiltration (Endpoint trace with /save_session.php).
  • mines[.]cloudapi[.]stream: Endpoint for Google identification, providing payload /user_info for tab-open backdoor.
  • topup[.]cloudapi[.]stream: Station issuing paid portal.

Command And Control (c2) Server Infrastructure 1777948902

Command And Control (c2) Server Infrastructure 22 1777948922

The main impact of the campaign

Instead of conducting ransomware encryption or system destruction, this campaign of distributing 108 extensions focuses on gathering intelligence and exploiting long-term trust. The direct impact chain includes:

  • Silent corporate data leaks (DLP Bypass): Translation and text processing tools are covertly sending all content handled by employees to the C2. This poses a risk of exposing source code, confidential contracts, and business secrets, which DLP solutions find difficult to detect due to packets being encrypted through Chrome’s standard TLS layer.
  • Widespread Account Takeover (ATO): By stealing OAuth tokens directly and extracting localStorage data from Telegram Web, the attacker maintains a backdoor to access internal resources, completely bypassing two-factor authentication (2FA/MFA). This allows them to turn real identity accounts into bait for future internal phishing campaigns.
  • Exploitation and attack on the local supply chain: With the backdoor loadInfo(), the browsers of tens of thousands of personnel can be commanded by the C2 to open tabs running scripts to DDoS other targets, download OS-level malicious payloads, or simply manipulate displayed content (DOM-injection) to insert financial ads and scams directly onto their work screens.
  • Serious compliance violations: The overall picture reveals significant weaknesses in the organization’s endpoint management (BYOD or lack of Allowlist Extension policy). It threatens strict security standards like ISO 27001 or PCI DSS when devices carry uncontrolled risks.

Expert opinion

The evolution of software in official stores often creates a false sense of security, yet risks are growing in the era of Manifest V3. Many cybersecurity engineers assume that updating Chrome’s Manifest V3 will “patch” malware by eliminating the ability to block/modify webRequest packets. On the contrary, this campaign of 108 extensions clearly demonstrates how hackers have perfectly adapted by exploiting the available API—declarativeNetRequest. They blur the line between content moderation and violating Content-Security-Policy.

In the bigger picture, this is not an isolated act of individual theft but a smooth criminal business process (MaaS). The backend system manages cross-identity (Google Subject ID), builds Telegram Session warehouses, and maintains a separate payment module, illustrating the remarkably organized scale of this hacker group. The critical point for organizations lies in seemingly benign plugins like “Translation tool.” When employees copy and translate regular text (sensitive contracts, code, architectural configurations), they rely on this intermediary channel to silently push data to the hidden /Translation request of the C2. A current Data Loss Prevention (DLP) solution struggles to detect these silent leaks passing through the SSL/HTTPS layer, often mistakenly perceived as a natural application feature.

Recommendation

Immediate (0-24h)

  • Review the DNS filter system, EDR, and web proxy firewall, and ensure the addition of rules to completely deny and block inbound/outbound traffic with domains *.cloudapi[.]stream, top[.]rodeo, and IP 144.126.135.238.
  • Initiate a centralized scan from Endpoint Manager or Active Directory on all devices. Force uninstall if a match is found with the extension ID strings in the whitelist. Simultaneously, force logout (revoke credentials) for any suspicious sessions working with Google.

Short-term (1-7 days)

  • Develop SIEM Correlation Rules to hunt for unusual actors, especially user-agent groups with a strong connection history to web.telegram.org or https://www.googleapis.com/oauth2/v3/userinfo not originating from the main Desktop/Web App.
  • Establish a process to clear caches and local tokens for suspicious users.

Long-term

  • Switch entirely from a passive “Blocklist” model to an active “Allowlist” for all extensions operating on devices. The company should approve only plugins from publishers with a trust tier and a publicly available patch repository. Block any interference from extensions to internal domains.

MITRE ATT&CK

  • T1176 – Browser Extensions
  • T1539 – Steal Web Session Cookie
  • T1528 – Steal Application Access Token
  • T1041 – Exfiltration Over C2 Channel
  • T1071.001 – Application Layer Protocol: Web Protocols
  • T1027 – Obfuscated Files or Information
  • T1185 – Browser Session Hijacking

Indicators of Compromise (IOCs)

Email address

  • kiev3381917@gmail[.]com
  • formatron.service@gmail[.]com
  • nashprom.info@gmail[.]com
  • viktornadiezhdin@gmail[.]com
  • support@top[.]rodeo
  • slava.nadejdin.kiev@gmail[.]com
  • nadejdinv@gmail[.]com

Publisher name

  • Yana Project
  • GameGen
  • SideGames
  • Rodeo Games
  • InterAlt

Project Credentials

  • Google Cloud Project: 1096126762051
  • Google Cloud Project: 170835003632

Network Indicators

  • cloudapi[.]stream
  • tg[.]cloudapi[.]stream
  • mines[.]cloudapi[.]stream
  • topup[.]cloudapi[.]stream
  • cdn[.]cloudapi[.]stream
  • multiaccount[.]cloudapi[.]stream
  • wheel[.]cloudapi[.]stream
  • gamewss[.]cloudapi[.]stream
  • api[.]cloudapi[.]stream
  • chat[.]cloudapi[.]stream
  • crm[.]cloudapi[.]stream
  • top[.]rodeo
  • metal[.]cloudapi[.]stream
  • 144[.]126[.]135[.]238
  • coin-miner[.]cloudapi[.]stream
  • goldminer[.]cloudapi[.]stream
  • herculessportslegend[.]cloudapi[.]stream

C2 Endpoints

  • tg[.]cloudapi[.]stream/save_session.php
  • tg[.]cloudapi[.]stream/count_sessions.php
  • tg[.]cloudapi[.]stream/get_sessions.php
  • tg[.]cloudapi[.]stream/get_session.php
  • tg[.]cloudapi[.]stream/delete_session.php
  • tg[.]cloudapi[.]stream/save_title.php
  • mines[.]cloudapi[.]stream/auth_google
  • mines[.]cloudapi[.]stream/user_info
  • mines[.]cloudapi[.]stream/slot_test/
  • api[.]cloudapi[.]stream:8443/Register
  • api[.]cloudapi[.]stream:8443/Translation
  • top[.]rodeo/server/remote.php
  • top[.]rodeo/server/remote3.php
  • top[.]rodeo/notify.php
  • cloudapi[.]stream/install/
  • cloudapi[.]stream/uninstall/

Chrome Extension IDs

  1. obifanppcpchlehkjipahhphbcbjekfa – Telegram Multi-account
  2. mdcfennpfgkngnibjbpnpaafcjnhcjno – Web Client for Telegram – Teleside
  3. mmecpiobcdbjkaijljohghhpfgngpjmk – YouSide – Youtube Sidebar
  4. bfoofgelpmalhcmedaaeogahlmbkopfd – Web Client for Youtube – SideYou
  5. cbfhnceafaenchbefokkngcbnejached – Web Client for TikTok
  6. ogogpebnagniggbnkbpjioobomdbmdcj – Text Translation
  7. ldmnhdllijbchflpbmnlgndfnlgmkgif – Page Locker
  8. lnajjhohknhgemncbaomjjjpmpdigedg – Page Auto Refresh
  9. aecccajigpipkpioaidignbgbeekglkd – Web Client for Rugby Rush – SideGame
  10. akebbllmckjphjiojeioooidhnddnplj – Formula Rush Racing Game
  11. akifdnfipbeoonhoeabdicnlcdhghmpn – Piggy Prizes – Slot Machine
  12. akkkopcadaalekbdgpdikhdablkgjagd – Slot Arabian
  13. alkfljfjkpiccfgbeocbbjjladigcleg – Frogtastic
  14. alllblhkgghelnejlggmmgjbkdabidie – Black Beard Slot Machine
  15. amkkjdjjgiiamenbopfpdmjcleecjjgg – Indian – Slot Machine
  16. amnaljnjmgajgajelnplfmidgjgbjfhe – Mahjong Deluxe
  17. bbjdlbemjklojnbifkgameepcafflmem – Crazy Freekick
  18. bdnanfggeppmkfhkgmpojkhanoplkacc – Slot Car Racing
  19. bgdkbjcdecedfoejdfgeafdodjgfohno – Clear Cache Plus
  20. bnchgibgpgmlickioneccggfobljmhjc – Galactica Delux – Slot Machine
  21. bpljfbcejldmgeoodnogeefaihjdgbam – Speed Test for Chrome – WiFi SpeedTest
  22. cbnekafldflkmngbgmbnfmchjaelnhem – Game SkySpeedster
  23. cdpiopekjeonfjeocbfebemgocjciepp – Master Chess
  24. cehdkmmfadpplgchnbjgdngdcjmhlfcc – Hockey Shootout
  25. cljengcehefhflhoahaambmkknjekjib – Odds Of The Gods – Slot Machine
  26. clpgopiimdjcilllcjncdkoeikkkcfbi – Billiards Pro
  27. cmeoegkmpbpcoabhlklbamfeidebgmdf – Three Card Poker
  28. cmlbghnlnbjkdgfjlegkbjmadpbmlgjb – Donuts – Slot Machine
  29. cnibdhllkgidlgmaoanhkemjeklneolk – Archer – Slot Machine
  30. cpnfioldnmhaihohppoaebillnambcgn – Rugby Rush
  31. dbohcpohlgnhgjmfkakoniiplglpfhcb – Bingo
  32. dcamdpfclondppklabgkfaofjccpioil – Web Client for game Cricket Batter Challenge
  33. dljlpildgknddpnahppkihgodokfjbnd – Slot Machine Zeus Treasures
  34. dlpiookhionidajbiopmaajeckifeehn – Horse Racing
  35. dmaibhbbpmdihedidicfeigilkbobcog – Aztec – Slot Machine
  36. dohenclhhdfljpjlnpjnephpccbdgmmb – Straight 4
  37. dpdemambcedffmnkfmkephnhhnclmcio – Slot The Gold Pot
  38. ejlcbfmhjbkgohopdkijfgggbikgbacb – American Roulette Royale
  39. eljfpgehlncincemdmmnebmnlcmfamhm – Asia Slot
  40. enmmilgindjmffoljaojkcgloakmloen – Web Client for game Drive Your Car
  41. eoklnfefipnjfeknpmigmogeeepddcch – Jurassic Giants – Slot Machine
  42. fddajeklkkggbnppabbhkdmnkdjindlo – Street Basketball
  43. fibgndhgobbaaekmnneapojgkcehaeac – Tarot Side Panel
  44. fjfhejmbhpabkacpoddjbcfandjoacmb – Dragon Slayer – Slot Machine
  45. flkdjodmoefccepdihipjdlianmkmhgc – Best Blackjack
  46. fmajpchoiahphjiligpmghnhmabolhoh – Book Of Magic – Slot Machine
  47. gaafhblhbnkekenogcjniofhbicchlke – Snake – Slot Machine
  48. gbaoddbbpompjhmilbgiaapkkakldlpc – Dice King – Classic Craps And Roll Game
  49. gbhhgipmedccnankkjchgcidiigmioio – Slot Ramses
  50. gfhcdakcnpahfdealajmhcapnhhablbp – Battleship War
  51. gipmochingljoikdjakkdolfcbphmlom – Gold Miner 2
  52. glofhphmolanicdaddgkmhfmjidjkaem – Greyhound Racing – Dog Race Simulator
  53. haochenfmhglpholokliifmlpafilfdc – Hercules: Sports Legend
  54. hbobdcfpgonejphpemijgjddanoipbkj – Flicking Soccer
  55. hdmppejcahhppjhkncagagopecddokpi – Voodoo Magic – Slot Machine
  56. heljkmdknlfhiecpknceodpbokeipigo – Web Client for Hockey Shootout – SideGame
  57. hiofkndodabpioiheinoiojjobadpgmj – MASTER CHECKERS
  58. hkbihmjhjmehlocilifheeaeiljabenb – Watercraft Rush
  59. hlmdnedepbbihmbddepemmbkenbnoegd – Car Rush
  60. hmlnefhgicedcmebmkjdcogieefbaagl – Video Poker Deuces Wild
  61. hnpbijogiiaegambgpaenjbcbgaeimlf – Slot Machine Ultimate Soccer
  62. ibelidmkbnjmmpjgfibbdbkamgcbnjdm – Christmas Eve – Slot Machine
  63. ihbkmfoadnfjgkpdmgcboiehapkiflme – Columbus Voyage – Slot Machine
  64. ijccacgjefefdpglhclnbpfjlcbagafm – High or Low Casino Game
  65. ijfmkphjcogaealhjgijjfjlkpdhhojk – Goalkeeper Challenge
  66. ijpgccpmogehkjhdmomckpkfcpbjlmnj – Tropical Beach – Slot Machine
  67. imjmnghlhiimodfkdkgnfplhlobehnpm – BlackJack 3D
  68. jddinhnhplibccfmniaakhffpjpnaglp – Web Client for game Classic Bowling
  69. jmopjanoebpdbopigcbpjhiigmjolikk – Raging Zeus Mines
  70. jnmmbmkmbkcccpihjgnhjmhhkokfdnfe – Classic Backgammon
  71. jodocbbdcdclkhjkibnlfhbmllcpfkfo – Slot Machine The Fruits
  72. kahcolfecjbejjjadhjafmihdnifonjf – Baccarat
  73. kblomapfkjidbbbdllmofkcakcenkmec – Mini Golf World
  74. kbmindomjiejdikjaagfdbdfpnlanobi – Gold Rush – Slot Machine
  75. kbnkkecifeppobnemkielnpagifkobki – Pirat Slot
  76. kjnakdbpijigdbfepipnbafnhbcfdkga – 40 Imperial Crown – Slot Machine
  77. kknakidneabpfgepadgpkibalcnabnnh – 3D Soccer Slot Machine
  78. klglejfbdeipgklgaepnodpjcnhaihkd – Premium Horse Racing
  79. kmiidcaojgeepjlccoalkdimgpfnbagj – Tanks Game
  80. lcijkepobdokkgmefebkiejhealgblle – Caribbean Stud Poker
  81. lefndgfmmbdklidbkeifpgclmpnhcilg – Wild Buffalo – Slot Machine
  82. lfkknbmaifjomagejflmjklcmpadmmdg – Aqua – Slot Machine
  83. ljbgkfbiifhpgpipepnfefijldolkhlm – Game Crypto Merge
  84. lmcpbhamfpbonaenickjclacodolkbdl – Sherwood Forest – Slot Machine
  85. lmgenhmehbcolpikplhkoelmagdhoojn – Web Client for game Fatboy Dream
  86. maeccdadgnadblfddcmanhpofobhgfme – Lone Star Jackpots – Slot Machine
  87. medkneifmjcpgmmibfppjpfjbkgbgebl – Hidden Kitty Game
  88. mheomooihiffmcgldolenemmplpgoahn – Keno
  89. mmbbjakjlpmndjlbhihlddgcdppblpka – Jokers Bonanza – Slot Machine
  90. mmbkmjmlnhocfcnjmbchmflamalekbnb – Penalty Kicks
  91. nbgligggjfgkpphhghhjdoiefbimgooc – Pai Gow Poker
  92. ncpdkpcgmdhhnmcjgiiifdhefmekdcnf – Metal Calculator
  93. ndajcmifndknmkckdcdefkpgcodciggk – Farm – Slot Machine
  94. nelbpdjegmhhgpfcjclhdmkcglimkjpp – Rail Maze Puzzle
  95. nkacmelgoeejhjgmmgflbcdhonpaplcg – RED DOG CARD GAME
  96. nmegibgeklckejdlfhoadhhbgcdjnojb – Coin Miner 2
  97. nodobilhjanebkafmpihkpoabiggnnfl – Black Ninja – Slot Machine
  98. oanpifaoclmgmflmddlgkikfaggejobn – Pyramid Solitaire
  99. ocflhkadmmnlbieoiiekfcdcmjcfeahe – Chrome Client for Downhill Ski – SideGame
  100. odeccdcabdffpebnfancpkepjeecempn – Slot Machine Mr Chicken
  101. oejhnncfanbaogjlbknmlgjpleachclf – Web Client for French Roulette – SideGame
  102. ogbaedmbbmmipljceodeimlckohbnfan – 3D Roulette Casino Game
  103. ojkbafekojdcedacileemekjdfdpkbkf – Slot Machine Space Adventure
  104. pdgaknahllnfldmclpcllpieafkaibmf – Whack ’em All
  105. peflgkmfmoijonfgcjdlpnnfdegnlaji – Video Poker Jacks or Better
  106. phfkdailnomcbcknpdmokejhellbecjb – Swimming Pro
  107. pkghgkfjhjghinikeanecbgjehojfhdg – InterAlt
  108. pllkanemicadpcmkfodglahcocfdgkhj – Gold of Egypt – Slot Machine

Reference

https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2
https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sketchy-chrome-extensions-with-4-million-installs/

 

Exclusive article by an expert from FPT Corporation

Luu Tuan Anh – FPT Information Security Center

Share:
Avatar

FPT IS

Img Contact

Sign up to receive the latest news from FPT IS

    Bot Avatar