softwareaccess

softwareaccess is the branding used by one of five coordinated malicious Google Chrome extensions identified in a campaign targeting enterprise users of major HR and finance platforms, including Workday, NetSuite, and SuccessFactors. The extension shares identical infrastructure patterns and attack mechanisms with four related extensions published under the name databycloud1104. Collectively, the five extensions reached more than 2,300 users. The extensions masquerade as legitimate productivity tools while stealing authentication tokens and cookies to enable session hijacking and full account takeover. The Software Access extension specifically implements bidirectional cookie injection, allowing attackers to inject stolen authentication cookies into their own browsers and access victim accounts without passwords, including bypass of multi-factor authentication. Some extensions in the cluster extract session tokens every 60 seconds to keep stolen credentials current. The campaign also includes active defense evasion and response inhibition. The extensions use DOM manipulation and high-frequency MutationObserver checks, reported as every 50 milliseconds, to monitor for administrative security pages and blank or redirect them. This blocks remediation actions such as password changes, account deactivation, MFA device management, and access to security audit logs. The described behavior can create a containment failure in which defenders detect unauthorized access but cannot perform standard remediation, potentially forcing organizations to tolerate persistent unauthorized access or migrate affected users to new accounts. Known related branding and aliases directly mentioned in the content are softwareaccess and databycloud1104.