Skip to main content
HashnodeFPT IS SecurityFPT IS Security

Command Palette

Search for a command to run...

108 Chrome Extensions are secretly stealing your account – Are you on the list of victims?

Published
13 min read
108 Chrome Extensions are secretly stealing your account – Are you on the list of victims?
L
Lưu Tuấn Anh
Part of seriesNewsletters-eng

Summary of the campaign

How did 108 independent Chrome extensions—from text translation apps to seemingly harmless minigames—bypass security censorship and silently manipulate over 20,000 browsers? In-depth analysis reveals that all these extensions are fronts, controlled by a single C2 server network operating under a Malware-as-a-Service (MaaS) model. This sophisticated campaign avoids damaging devices to evade detection; instead, it quietly acts like an undercover scout: permanently hijacking Google OAuth identities, periodically "gutting" Telegram Web login sessions every 15 seconds, and directly inserting a backdoor into the victim's interface. The thought-provoking question for every organization is whether the translation tools or sidebars employees use daily are directly sending internal data to unknown servers. The urgent action now is to review extension installation logs and immediately block the controlling IP range to stop the chain of trust leaks.

Detection and Scope of Impact

According to the initial analysis, exactly 108 extensions containing malware have been or are being distributed through the Chrome Web Store. Although carefully disguised and released under the names of five independent publishers, including Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt, all these extensions point to a single backend server system. The exploited extensions cover a wide range, targeting all consumer segments: Telegram chat tools in sidebar form, slot machine gambling software, modules for optimizing YouTube/TikTok resolution, multilingual translation tools, and traditional web display extensions. These malicious programs fully mimic the advertised functionality to deceive users, while the criminal modules...

The exploitation process

Initial Access (T1189 - Drive-by Compromise)

Attackers trick victims into installing seemingly legitimate extensions from the official Chrome Web Store to establish a foothold for internal attacks.

Execution (T1059 - Command and Scripting Interpreter)

As soon as the browser starts, hidden scripts (e.g., loadInfo()) and background runtime are invoked to automatically execute data collection cycles using background installation permissions.

Credential Access (T1539 - Steal Web Session Cookie / T1552 - Unsecured Credentials)

Google Account: The extension sends a webhook to call Google's OAuth2 API to request permanent profile data (subject ID, email, name).

Telegram Account: The malware actively queries the localStorage variable, periodically extracting the key containing the user_auth parameter of Telegram Web.

Collection (T1114 - Email Collection/Info Theft)

Text translation tools capture all the victim's language query strings due to their ability to read the text input frame, attach them to the X-Key parameter, and steal them. Every draft and secret message that needs to be copied for translation is recorded.

Command and Control (T1071.001 - Web Protocols)

All data is illicitly transferred via the TLS protocol directly to the subdomains of cloudapi[.]stream. The attacker maintains a strong C2 capable of sending custom HTML parameters, inserting a backdoor that forces the browser to load remote URL code without user intervention.

Detailed Technical Analysis

Steal Telegram session periodically

In the group of extensions masquerading as Telegram integration tools (like Telegram Multi-account), the malware injects the target content.js file into the domain https://web.telegram.org/\*. The function getSessionDataJson() scans and exhausts the localStorage area, extracting the web session authentication string and directly transferring it via chrome.runtime.sendMessage().

The level of manipulation by the C2 reaches unpredictable heights with the webhook command set_session_changed. After intercepting the request, the server deletes the entire current localStorage and inserts a foreign token. This trick aims to force the victim out of their actual account and use the victim's own browser to log in with a different malicious profile.

Exploiting Google OAuth2 Identification

Instead of attempting phishing for passwords, which carries a high risk of being blocked, 54 extensions in this campaign target Google identity at the infrastructure level. They use the function chrome.identity.getAuthToken to request tokens from users. Once successful, the data sent back to the C2 server includes the permanent sub identifier, along with the email and real name. Collecting the sub index helps the criminals' CRM cross-reference and ensures they never lose track of the user, even if the victim changes their email later.

All Client IDs (about 56 IDs) configured for this purpose belong to only 2 Google Cloud projects: 1096126762051 and 170835003632. This fact alone dispels the facade of separation by the five different publisher names.

Universal Backdoor loadInfo()

A critical security vulnerability within internal networks lies in the backdoor feature loadInfo(), spread across at least 45 original background configuration files. When Chrome is about to launch, the malware connects to the C2 address. If the response returns a JSON parameter infoURL, the C2 forces the extension to secretly create a tab and immediately redirect the URL. Source analysis shows loadInfo() often uses a concise async/await technique in minified code format, indicating the insertion of external code rather than from a professional original code source.

Xé Rào Configuration Security Header

Instead of attacking webRequest, five extensions have exploited the declarativeNetRequest API (a feature of Manifest V3, known for being more stringent) to strip protection:

  • Remove the Content-Security-Policy and X-Frame-Options directives from the target website (TikTok, YouTube).

  • Force the Access-Control-Allow-Origin: * parameter.

  • Spoof the User-Agent.

When all barriers have collapsed, the malware uses unsafe DOM-injection with the innerHTML variable. This results in automatically injecting junk HTML code and slot machine ads directly into the user interfaces of YouTube and TikTok.

Command and Control (C2) server infrastructure

The backend sketch of the 108 malware network fully reveals the C2 infrastructure located at Contabo GmbH VPS, IP 144.126.135.238. The server architecture uses Strapi CMS with a PostgreSQL data core, organized by subdomain, following a standard Malware-as-a-Service ecosystem.

  • tg[.]cloudapi[.]stream: Module exfiltration (Endpoint trace with /save_session.php).

  • mines[.]cloudapi[.]stream: Endpoint for Google identification, providing payload /user_info for tab-open backdoor.

  • topup[.]cloudapi[.]stream: Station issuing paid portal.

The main impact of the campaign

Instead of conducting ransomware encryption or system destruction, this campaign of distributing 108 extensions focuses on gathering intelligence and exploiting long-term trust. The direct impact chain includes:

  • Silent corporate data leaks (DLP Bypass): Translation and text processing tools are covertly sending all content handled by employees to the C2. This poses a risk of exposing source code, confidential contracts, and business secrets, which DLP solutions find difficult to detect due to packets being encrypted through Chrome's standard TLS layer.

  • Widespread Account Takeover (ATO): By stealing OAuth tokens directly and extracting localStorage data from Telegram Web, the attacker maintains a backdoor to access internal resources, completely bypassing two-factor authentication (2FA/MFA). This allows them to turn real identity accounts into bait for future internal phishing campaigns.

  • Exploitation and attack on the local supply chain: With the backdoor loadInfo(), the browsers of tens of thousands of personnel can be commanded by the C2 to open tabs running scripts to DDoS other targets, download OS-level malicious payloads, or simply manipulate displayed content (DOM-injection) to insert financial ads and scams directly onto their work screens.

  • Serious compliance violations: The overall picture reveals significant weaknesses in the organization's endpoint management (BYOD or lack of Allowlist Extension policy). It threatens strict security standards like ISO 27001 or PCI DSS when devices carry uncontrolled risks.

Expert opinion

The evolution of software in official stores often creates a false sense of security, yet risks are growing in the era of Manifest V3. Many cybersecurity engineers assume that updating Chrome's Manifest V3 will "patch" malware by eliminating the ability to block/modify webRequest packets. On the contrary, this campaign of 108 extensions clearly demonstrates how hackers have perfectly adapted by exploiting the available API—declarativeNetRequest. They blur the line between content moderation and violating Content-Security-Policy.

In the bigger picture, this is not an isolated act of individual theft but a smooth criminal business process (MaaS). The backend system manages cross-identity (Google Subject ID), builds Telegram Session warehouses, and maintains a separate payment module, illustrating the remarkably organized scale of this hacker group. The critical point for organizations lies in seemingly benign plugins like "Translation tool." When employees copy and translate regular text (sensitive contracts, code, architectural configurations), they rely on this intermediary channel to silently push data to the hidden /Translation request of the C2. A current Data Loss Prevention (DLP) solution struggles to detect these silent leaks passing through the SSL/HTTPS layer, often mistakenly perceived as a natural application feature.

Recommendation

Immediate (0-24h)

  • Review the DNS filter system, EDR, and web proxy firewall, and ensure the addition of rules to completely deny and block inbound/outbound traffic with domains *.cloudapi[.]stream, top[.]rodeo, and IP 144.126.135.238.

  • Initiate a centralized scan from Endpoint Manager or Active Directory on all devices. Force uninstall if a match is found with the extension ID strings in the whitelist. Simultaneously, force logout (revoke credentials) for any suspicious sessions working with Google.

Short-term (1-7 days)

  • Develop SIEM Correlation Rules to hunt for unusual actors, especially user-agent groups with a strong connection history to web.telegram.org or https://www.googleapis.com/oauth2/v3/userinfo not originating from the main Desktop/Web App.

  • Establish a process to clear caches and local tokens for suspicious users.

Long-term

  • Switch entirely from a passive "Blocklist" model to an active "Allowlist" for all extensions operating on devices. The company should approve only plugins from publishers with a trust tier and a publicly available patch repository. Block any interference from extensions to internal domains.

MITRE ATT&CK

  • T1176 - Browser Extensions

  • T1539 - Steal Web Session Cookie

  • T1528 - Steal Application Access Token

  • T1041 - Exfiltration Over C2 Channel

  • T1071.001 - Application Layer Protocol: Web Protocols

  • T1027 - Obfuscated Files or Information

  • T1185 - Browser Session Hijacking

Indicators of Compromise (IOCs)

Email address

  • kiev3381917@gmail[.]com

  • formatron.service@gmail[.]com

  • nashprom.info@gmail[.]com

  • viktornadiezhdin@gmail[.]com

  • support@top[.]rodeo

  • slava.nadejdin.kiev@gmail[.]com

  • nadejdinv@gmail[.]com

Publisher name

  • Yana Project

  • GameGen

  • SideGames

  • Rodeo Games

  • InterAlt

Project Credentials

  • Google Cloud Project: 1096126762051

  • Google Cloud Project: 170835003632

Network Indicators

  • cloudapi[.]stream

  • tg[.]cloudapi[.]stream

  • mines[.]cloudapi[.]stream

  • topup[.]cloudapi[.]stream

  • cdn[.]cloudapi[.]stream

  • multiaccount[.]cloudapi[.]stream

  • wheel[.]cloudapi[.]stream

  • gamewss[.]cloudapi[.]stream

  • api[.]cloudapi[.]stream

  • chat[.]cloudapi[.]stream

  • crm[.]cloudapi[.]stream

  • top[.]rodeo

  • metal[.]cloudapi[.]stream

  • 144[.]126[.]135[.]238

  • coin-miner[.]cloudapi[.]stream

  • goldminer[.]cloudapi[.]stream

  • herculessportslegend[.]cloudapi[.]stream

C2 Endpoints

  • tg[.]cloudapi[.]stream/save_session.php

  • tg[.]cloudapi[.]stream/count_sessions.php

  • tg[.]cloudapi[.]stream/get_sessions.php

  • tg[.]cloudapi[.]stream/get_session.php

  • tg[.]cloudapi[.]stream/delete_session.php

  • tg[.]cloudapi[.]stream/save_title.php

  • mines[.]cloudapi[.]stream/auth_google

  • mines[.]cloudapi[.]stream/user_info

  • mines[.]cloudapi[.]stream/slot_test/

  • api[.]cloudapi[.]stream:8443/Register

  • api[.]cloudapi[.]stream:8443/Translation

  • top[.]rodeo/server/remote.php

  • top[.]rodeo/server/remote3.php

  • top[.]rodeo/notify.php

  • cloudapi[.]stream/install/

  • cloudapi[.]stream/uninstall/

Chrome Extension IDs

  1. obifanppcpchlehkjipahhphbcbjekfa - Telegram Multi-account

  2. mdcfennpfgkngnibjbpnpaafcjnhcjno - Web Client for Telegram - Teleside

  3. mmecpiobcdbjkaijljohghhpfgngpjmk - YouSide - Youtube Sidebar

  4. bfoofgelpmalhcmedaaeogahlmbkopfd - Web Client for Youtube - SideYou

  5. cbfhnceafaenchbefokkngcbnejached - Web Client for TikTok

  6. ogogpebnagniggbnkbpjioobomdbmdcj - Text Translation

  7. ldmnhdllijbchflpbmnlgndfnlgmkgif - Page Locker

  8. lnajjhohknhgemncbaomjjjpmpdigedg - Page Auto Refresh

  9. aecccajigpipkpioaidignbgbeekglkd - Web Client for Rugby Rush - SideGame

  10. akebbllmckjphjiojeioooidhnddnplj - Formula Rush Racing Game

  11. akifdnfipbeoonhoeabdicnlcdhghmpn - Piggy Prizes - Slot Machine

  12. akkkopcadaalekbdgpdikhdablkgjagd - Slot Arabian

  13. alkfljfjkpiccfgbeocbbjjladigcleg - Frogtastic

  14. alllblhkgghelnejlggmmgjbkdabidie - Black Beard Slot Machine

  15. amkkjdjjgiiamenbopfpdmjcleecjjgg - Indian - Slot Machine

  16. amnaljnjmgajgajelnplfmidgjgbjfhe - Mahjong Deluxe

  17. bbjdlbemjklojnbifkgameepcafflmem - Crazy Freekick

  18. bdnanfggeppmkfhkgmpojkhanoplkacc - Slot Car Racing

  19. bgdkbjcdecedfoejdfgeafdodjgfohno - Clear Cache Plus

  20. bnchgibgpgmlickioneccggfobljmhjc - Galactica Delux - Slot Machine

  21. bpljfbcejldmgeoodnogeefaihjdgbam - Speed Test for Chrome - WiFi SpeedTest

  22. cbnekafldflkmngbgmbnfmchjaelnhem - Game SkySpeedster

  23. cdpiopekjeonfjeocbfebemgocjciepp - Master Chess

  24. cehdkmmfadpplgchnbjgdngdcjmhlfcc - Hockey Shootout

  25. cljengcehefhflhoahaambmkknjekjib - Odds Of The Gods - Slot Machine

  26. clpgopiimdjcilllcjncdkoeikkkcfbi - Billiards Pro

  27. cmeoegkmpbpcoabhlklbamfeidebgmdf - Three Card Poker

  28. cmlbghnlnbjkdgfjlegkbjmadpbmlgjb - Donuts - Slot Machine

  29. cnibdhllkgidlgmaoanhkemjeklneolk - Archer - Slot Machine

  30. cpnfioldnmhaihohppoaebillnambcgn - Rugby Rush

  31. dbohcpohlgnhgjmfkakoniiplglpfhcb - Bingo

  32. dcamdpfclondppklabgkfaofjccpioil - Web Client for game Cricket Batter Challenge

  33. dljlpildgknddpnahppkihgodokfjbnd - Slot Machine Zeus Treasures

  34. dlpiookhionidajbiopmaajeckifeehn - Horse Racing

  35. dmaibhbbpmdihedidicfeigilkbobcog - Aztec - Slot Machine

  36. dohenclhhdfljpjlnpjnephpccbdgmmb - Straight 4

  37. dpdemambcedffmnkfmkephnhhnclmcio - Slot The Gold Pot

  38. ejlcbfmhjbkgohopdkijfgggbikgbacb - American Roulette Royale

  39. eljfpgehlncincemdmmnebmnlcmfamhm - Asia Slot

  40. enmmilgindjmffoljaojkcgloakmloen - Web Client for game Drive Your Car

  41. eoklnfefipnjfeknpmigmogeeepddcch - Jurassic Giants - Slot Machine

  42. fddajeklkkggbnppabbhkdmnkdjindlo - Street Basketball

  43. fibgndhgobbaaekmnneapojgkcehaeac - Tarot Side Panel

  44. fjfhejmbhpabkacpoddjbcfandjoacmb - Dragon Slayer - Slot Machine

  45. flkdjodmoefccepdihipjdlianmkmhgc - Best Blackjack

  46. fmajpchoiahphjiligpmghnhmabolhoh - Book Of Magic - Slot Machine

  47. gaafhblhbnkekenogcjniofhbicchlke - Snake - Slot Machine

  48. gbaoddbbpompjhmilbgiaapkkakldlpc - Dice King - Classic Craps And Roll Game

  49. gbhhgipmedccnankkjchgcidiigmioio - Slot Ramses

  50. gfhcdakcnpahfdealajmhcapnhhablbp - Battleship War

  51. gipmochingljoikdjakkdolfcbphmlom - Gold Miner 2

  52. glofhphmolanicdaddgkmhfmjidjkaem - Greyhound Racing - Dog Race Simulator

  53. haochenfmhglpholokliifmlpafilfdc - Hercules: Sports Legend

  54. hbobdcfpgonejphpemijgjddanoipbkj - Flicking Soccer

  55. hdmppejcahhppjhkncagagopecddokpi - Voodoo Magic - Slot Machine

  56. heljkmdknlfhiecpknceodpbokeipigo - Web Client for Hockey Shootout - SideGame

  57. hiofkndodabpioiheinoiojjobadpgmj - MASTER CHECKERS

  58. hkbihmjhjmehlocilifheeaeiljabenb - Watercraft Rush

  59. hlmdnedepbbihmbddepemmbkenbnoegd - Car Rush

  60. hmlnefhgicedcmebmkjdcogieefbaagl - Video Poker Deuces Wild

  61. hnpbijogiiaegambgpaenjbcbgaeimlf - Slot Machine Ultimate Soccer

  62. ibelidmkbnjmmpjgfibbdbkamgcbnjdm - Christmas Eve - Slot Machine

  63. ihbkmfoadnfjgkpdmgcboiehapkiflme - Columbus Voyage - Slot Machine

  64. ijccacgjefefdpglhclnbpfjlcbagafm - High or Low Casino Game

  65. ijfmkphjcogaealhjgijjfjlkpdhhojk - Goalkeeper Challenge

  66. ijpgccpmogehkjhdmomckpkfcpbjlmnj - Tropical Beach - Slot Machine

  67. imjmnghlhiimodfkdkgnfplhlobehnpm - BlackJack 3D

  68. jddinhnhplibccfmniaakhffpjpnaglp - Web Client for game Classic Bowling

  69. jmopjanoebpdbopigcbpjhiigmjolikk - Raging Zeus Mines

  70. jnmmbmkmbkcccpihjgnhjmhhkokfdnfe - Classic Backgammon

  71. jodocbbdcdclkhjkibnlfhbmllcpfkfo - Slot Machine The Fruits

  72. kahcolfecjbejjjadhjafmihdnifonjf - Baccarat

  73. kblomapfkjidbbbdllmofkcakcenkmec - Mini Golf World

  74. kbmindomjiejdikjaagfdbdfpnlanobi - Gold Rush - Slot Machine

  75. kbnkkecifeppobnemkielnpagifkobki - Pirat Slot

  76. kjnakdbpijigdbfepipnbafnhbcfdkga - 40 Imperial Crown - Slot Machine

  77. kknakidneabpfgepadgpkibalcnabnnh - 3D Soccer Slot Machine

  78. klglejfbdeipgklgaepnodpjcnhaihkd - Premium Horse Racing

  79. kmiidcaojgeepjlccoalkdimgpfnbagj - Tanks Game

  80. lcijkepobdokkgmefebkiejhealgblle - Caribbean Stud Poker

  81. lefndgfmmbdklidbkeifpgclmpnhcilg - Wild Buffalo - Slot Machine

  82. lfkknbmaifjomagejflmjklcmpadmmdg - Aqua - Slot Machine

  83. ljbgkfbiifhpgpipepnfefijldolkhlm - Game Crypto Merge

  84. lmcpbhamfpbonaenickjclacodolkbdl - Sherwood Forest - Slot Machine

  85. lmgenhmehbcolpikplhkoelmagdhoojn - Web Client for game Fatboy Dream

  86. maeccdadgnadblfddcmanhpofobhgfme - Lone Star Jackpots - Slot Machine

  87. medkneifmjcpgmmibfppjpfjbkgbgebl - Hidden Kitty Game

  88. mheomooihiffmcgldolenemmplpgoahn - Keno

  89. mmbbjakjlpmndjlbhihlddgcdppblpka - Jokers Bonanza - Slot Machine

  90. mmbkmjmlnhocfcnjmbchmflamalekbnb - Penalty Kicks

  91. nbgligggjfgkpphhghhjdoiefbimgooc - Pai Gow Poker

  92. ncpdkpcgmdhhnmcjgiiifdhefmekdcnf - Metal Calculator

  93. ndajcmifndknmkckdcdefkpgcodciggk - Farm - Slot Machine

  94. nelbpdjegmhhgpfcjclhdmkcglimkjpp - Rail Maze Puzzle

  95. nkacmelgoeejhjgmmgflbcdhonpaplcg - RED DOG CARD GAME

  96. nmegibgeklckejdlfhoadhhbgcdjnojb - Coin Miner 2

  97. nodobilhjanebkafmpihkpoabiggnnfl - Black Ninja - Slot Machine

  98. oanpifaoclmgmflmddlgkikfaggejobn - Pyramid Solitaire

  99. ocflhkadmmnlbieoiiekfcdcmjcfeahe - Chrome Client for Downhill Ski - SideGame

  100. odeccdcabdffpebnfancpkepjeecempn - Slot Machine Mr Chicken

  101. oejhnncfanbaogjlbknmlgjpleachclf - Web Client for French Roulette - SideGame

  102. ogbaedmbbmmipljceodeimlckohbnfan - 3D Roulette Casino Game

  103. ojkbafekojdcedacileemekjdfdpkbkf - Slot Machine Space Adventure

  104. pdgaknahllnfldmclpcllpieafkaibmf - Whack 'em All

  105. peflgkmfmoijonfgcjdlpnnfdegnlaji - Video Poker Jacks or Better

  106. phfkdailnomcbcknpdmokejhellbecjb - Swimming Pro

  107. pkghgkfjhjghinikeanecbgjehojfhdg - InterAlt

  108. pllkanemicadpcmkfodglahcocfdgkhj - Gold of Egypt - Slot Machine

Reference

https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2
https://arstechnica.com/security/2025/04/researcher-uncovers-dozens-of-sketchy-chrome-extensions-with-4-million-installs/

#chrome-extension#maas#telegram-web#google-oauth2#security-header#c2-server#threat-intelligence

Newsletters-eng

Part 3 of 50
Up next

New Docker Vulnerability: Bypass All Controls with a Simple Payload

A newly discovered critical CVE vulnerability in Docker Engine could allow attackers to bypass authorization plugins and potentially gain unauthorized access to the underlying server system. CVE-2026-

More from this blog

F

FPT IS Security

744 posts

Dedicated to providing insightful articles on cybersecurity threat intelligence, aimed at empowering individuals and organizations to navigate the digital landscape safely.