Software Access
Software Access is a malicious Google Chrome extension identified by Socket as part of a coordinated campaign involving five malicious extensions targeting customers of Workday, NetSuite, and SAP SuccessFactors. Published under the name Software Access, it masqueraded as a productivity or access tool for enterprise HR/ERP platforms. Its core capability is theft of authentication cookies/tokens and session hijacking. Unlike the other related extensions, Software Access also supports bidirectional cookie injection: it can receive stolen cookies from attacker-controlled infrastructure at api.software-access[.]com, remove existing cookies for a target domain, and inject attacker-provided cookies into the browser using chrome.cookies.set(), enabling direct session relay and authenticated account takeover. The reported behavior can bypass MFA because valid session tokens are implanted directly rather than requiring credentials. Socket also reported anti-analysis functionality in Software Access through use of the DisableDevtool library to hinder browser code inspection. Across the broader campaign, the extensions shared similar API structures, monitored for the same list of 23 security-related Chrome extensions, and were assessed as likely operated by the same threat actor. The campaign collectively reached roughly 2,300 installs before removal from the Chrome Web Store. High-confidence associated indicators include the extension ID bmodapcihjhklpogdpblefpepjolaoij and the C2 domain/api endpoint software-access[.]com / api.software-access[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious Chrome extension that steals authentication cookies/tokens and supports direct session relay by injecting stolen tokens from its C2 into an attacker-controlled browser that also has the extension installed. Includes anti-analysis via DisableDevtool to hinder inspection.
Bösartige Browser-Erweiterung, die Cookies/Session-Tokens stiehlt und diese anschließend per bidirektionaler Cookie-Injektion (u.a. via chrome.cookies.set()) in einen vom Angreifer kontrollierten Browser setzt, um ohne weitere Benutzerinteraktion eine authentifizierte Sitzung zu übernehmen (Session Hijacking).
A malicious Chrome extension that performs bidirectional cookie injection: pulls attacker-provided session material from C2 and injects it into the victim browser to hijack sessions and bypass MFA without needing passwords.
Malicious Chrome extension that both steals cookies and supports server-driven cookie injection (removing existing cookies and setting attacker-supplied cookies via chrome.cookies.set) to directly instantiate a victim session in the attacker’s browser; includes measures to hinder credential inspection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.