Malicious Browser Extensions Used for Stealthy Data Theft and Account Takeover
Researchers reported multiple malicious browser extension campaigns abusing official add-on ecosystems to steal data and hijack accounts. One operation tracked as GhostPoster hid malicious logic inside seemingly benign PNG image files, a technique used to evade typical extension review and static checks; follow-on infrastructure analysis linked the activity to at least 17 additional extensions using the same backend and tactics, with ~840,000 installs and some extensions active for up to five years. The campaign reportedly started on Microsoft Edge and later expanded to Chrome and Firefox, emphasizing stealth and long-term persistence over rapid spread.
Separately, Socket researchers identified five malicious Chrome extensions impersonating enterprise platforms (Workday, NetSuite, SuccessFactors) to enable session hijacking and account takeover. The extensions were described as working together to steal authentication tokens/cookies, block incident response by manipulating the DOM to interfere with security administration pages, and perform cookie injection to take over sessions; most were removed from the Chrome Web Store but remained available via third-party download sites. In response to the broader extension abuse, Mozilla and Microsoft removed identified add-ons from their marketplaces, but already-installed extensions remain a risk and require manual removal.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Mozilla and Microsoft remove identified malicious extensions
Mozilla and Microsoft removed the malicious extensions identified in the broader GhostPoster-related campaign from their browser marketplaces. Users who had already installed the add-ons were still required to manually uninstall them to eliminate the risk.
Chrome Web Store removes most malicious HR/ERP extensions
Most of the malicious Chrome extensions impersonating enterprise productivity tools were removed from the Chrome Web Store, and Software Access was later removed as well. However, some remained available through third-party download sites such as Softonic at the time of reporting.
LayerX identifies 17 more add-ons tied to the same infrastructure
LayerX traced the campaign infrastructure and uncovered 17 additional malicious browser add-ons using the same backend systems and tactics. The company said the combined campaign exceeded 840,000 installs, with a more advanced variant accounting for 3,822 installs.
Koi Security finds PNG-based code hiding in malicious extensions
Koi Security reported that malicious browser extensions in the broader campaign concealed code inside apparently benign PNG image files to evade standard security checks. This finding showed the campaign had evolved beyond the originally identified GhostPoster activity.
Socket links five fake HR/ERP extensions to a coordinated campaign
Socket researchers determined that the five Chrome extensions were part of a coordinated operation despite being published under two different publisher accounts. The assessment was based on shared functionality, infrastructure patterns, and a common list of security-related Chrome extensions the malware attempted to detect.
Malicious Chrome extensions impersonate Workday and NetSuite are distributed
Attackers distributed at least five malicious Chrome extensions masquerading as productivity tools for platforms including Workday, NetSuite, and SuccessFactors. The extensions were designed to steal authentication cookies and tokens, support session hijacking through cookie injection, and in some cases block access to Workday security and administration pages.
GhostPoster browser extension threat is initially identified
Researchers initially identified a malicious browser extension threat known as GhostPoster, which later proved to be part of a broader long-running campaign. The reporting indicates the activity had been ongoing for as long as five years before the January 2026 disclosures.
Campaign expands from Edge to Chrome and Firefox
The broader browser-extension malware campaign began on Microsoft Edge and later expanded to Google Chrome and Mozilla Firefox. Researchers described this as evidence of a long-term, stealth-focused operation spanning multiple browser ecosystems.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Browser Extensions Abusing Enterprise Platforms and Ad Fraud at Scale
Security researchers reported multiple **malicious browser extension** operations abusing official add-on stores. Socket identified five Chrome Web Store extensions impersonating productivity/security tools for **Workday, NetSuite, and SAP SuccessFactors**, installed over 2,300 times, that performed credential theft and session abuse via **cookie exfiltration**, **cookie injection for session hijacking**, and **DOM manipulation** to block security/incident-response administration pages; the extensions appeared under different publisher names but shared code structure, targeting logic, and infrastructure, indicating coordinated activity. Separately, LayerX documented continued activity in the **GhostPoster** campaign across Chrome, Firefox, and Edge, adding 17 more extensions with a combined ~840,000 installs. The extensions concealed malicious JavaScript in image assets (e.g., logo files) to fetch an obfuscated payload that monitored browsing, planted a backdoor, hijacked affiliate links, and injected invisible iframes to drive **ad/click fraud**; LayerX assessed the operation likely originated in the Edge ecosystem and later expanded, with some extensions reportedly present since 2020, suggesting long-lived persistence despite prior public exposure by Koi Security.
Mar 21, 2026
Malicious Browser Extensions Used for Enterprise Backdoors and Session Hijacking
Security researchers reported multiple **malicious browser-extension** campaigns abusing official extension stores and search-driven lures to compromise enterprise users. Huntress documented a Chrome Web Store extension, **“NexShield – Advanced Web Guardian”** (a near-clone of *uBlock Origin Lite*), distributed via search/advertising redirection and designed to intentionally “freeze” the browser and present a fake **CrashFix** security prompt that instructs users to paste and run commands via `Win + R`; this social-engineering step results in installation of a previously undocumented Windows RAT dubbed **ModeloRAT** on domain-joined endpoints. Reporting also tied the delivery to a traffic distribution system (**KongTuke**, also tracked as **404 TDS/TAG-124** and other aliases) used to profile victims and route them to payload delivery infrastructure that has been leveraged by other criminal operations, including ransomware affiliates. Separately, Socket.dev analysis described **five coordinated Chrome extensions** targeting enterprise SaaS platforms (**Workday, NetSuite, SuccessFactors**) to enable account takeover via **session hijacking**, including continuous token theft and **bidirectional cookie injection** that can bypass MFA by replaying stolen session cookies. In parallel, Malwarebytes reported “sleeper” extension campaigns attributed to **DarkSpectre** (including **GhostPoster** and **ShadyPanda**) that turned previously benign extensions malicious after updates and used **steganography** (JavaScript hidden in extension images) to evade detection across **Edge, Chrome, and Firefox**, with large download counts and long dwell time. A separate Nextron Systems report described a related distribution pattern—malicious “free converter” apps promoted via **malicious Google ads** and made to look legitimate with **code-signing certificates**—highlighting the broader trend of search/advertising-driven initial access leading to persistent RAT deployment, though it is not the same extension-specific incident as the NexShield/CrashFix chain.
Mar 21, 2026
Malicious Chrome Extensions Used for Data Theft via Ownership Transfers and Impersonation
Multiple **malicious Chrome/Chromium extensions** were identified abusing the Chrome Web Store to steal data from users and enterprises. Two previously legitimate extensions—**QuickLens** (`kdenlnncndfnhkognokgfpabgkgehodd`) and **ShotBird** (`gengfhhkjekmlejbhmmopegofnoifnjp`)—reportedly turned malicious after **ownership transfers**, enabling downstream compromise through injected code and data harvesting. In the QuickLens case, researchers reported the malicious update preserved expected functionality while adding capabilities to **strip security headers** (e.g., `X-Frame-Options`) and facilitate script injection that can bypass **Content Security Policy (CSP)** protections, expanding the attacker’s ability to make cross-domain requests and collect sensitive information. Separately, Microsoft reported a campaign of **counterfeit “AI assistant” browser extensions** distributed via the Chrome Web Store (and therefore also impacting Microsoft Edge environments that allow Chrome extensions), which allegedly affected **20,000+ enterprise tenants** and amassed roughly **900,000 installs**. These extensions impersonated legitimate AI productivity tools and harvested **ChatGPT/DeepSeek conversation histories**, visited URLs, and browsing telemetry, staging data for exfiltration to attacker-controlled infrastructure. Another Chrome Web Store threat involved a fake **imToken**-branded extension (“lmΤoken Chromophore”) that masqueraded as a benign tool but redirected victims to phishing infrastructure to steal **seed phrases and private keys**, using tactics like hardcoded remote configuration (via JSONKeeper) and decoy navigation to the legitimate `token.im` site after credential capture.
Mar 21, 2026