Do Son 
Since February 2024, the Chrome Web Store has been hosting malicious browser extensions disguised as useful utilities, which in reality are designed to steal data, hijack sessions, and execute arbitrary code. These extensions, crafted by an unidentified group, target users seeking productivity tools, VPN services, financial and crypto platforms, as well as media analysis and creation utilities.
According to intelligence from the DomainTools team, the threat actors have created counterfeit websites that visually mimic legitimate services such as DeepSeek, Manus, DeBank, FortiVPN, and Site Stats. These deceptive pages redirect unsuspecting users to fake Chrome Web Store listings, where the extensions appear to function as advertised. However, beneath the surface, they covertly exfiltrate cookies, login credentials, and passwords, inject advertisements, reroute traffic to malicious domains, and manipulate webpage content via DOM tampering.
The danger is further compounded by the excessive privileges declared in the extensions’ manifest.json files. These permissions grant the extensions access to all websites visited by the user, the ability to download and execute arbitrary code from remote servers, utilize WebSocket connections to route traffic, and even bypass Content Security Policy protections through the abuse of onreset event handlers embedded in ephemeral DOM elements.
The precise method by which users arrive at these malicious sites remains unclear, though it is presumed that classic vectors such as phishing emails, online advertisements, and social media links are being employed. DomainTools has noted the presence of Facebook* tracking pixels on these sites, suggesting that promotion may also be occurring via Meta* platforms—through pages, groups, and sponsored ad campaigns.
Despite Google’s efforts to purge these malicious extensions from the store, the attackers retain a vast and resilient infrastructure: over 100 fraudulent websites linked to their network of extensions. By leveraging these sites and the perceived legitimacy of the Chrome Web Store itself, they manage to appear in search results both on the open web and within the extension marketplace—fostering an illusion of authenticity.
Users are strongly advised to install extensions only from trusted developers, carefully review user feedback, scrutinize requested permissions, and avoid add-ons whose names or logos closely resemble well-known products but differ subtly in detail.
Donate