Malicious Browser Extensions Abusing Enterprise Platforms and Ad Fraud at Scale
Security researchers reported multiple malicious browser extension operations abusing official add-on stores. Socket identified five Chrome Web Store extensions impersonating productivity/security tools for Workday, NetSuite, and SAP SuccessFactors, installed over 2,300 times, that performed credential theft and session abuse via cookie exfiltration, cookie injection for session hijacking, and DOM manipulation to block security/incident-response administration pages; the extensions appeared under different publisher names but shared code structure, targeting logic, and infrastructure, indicating coordinated activity.
Separately, LayerX documented continued activity in the GhostPoster campaign across Chrome, Firefox, and Edge, adding 17 more extensions with a combined ~840,000 installs. The extensions concealed malicious JavaScript in image assets (e.g., logo files) to fetch an obfuscated payload that monitored browsing, planted a backdoor, hijacked affiliate links, and injected invisible iframes to drive ad/click fraud; LayerX assessed the operation likely originated in the Edge ecosystem and later expanded, with some extensions reportedly present since 2020, suggesting long-lived persistence despite prior public exposure by Koi Security.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Google removes reported HR-platform credential-stealing extensions
Socket said it reported the malicious HR/ERP-themed Chrome extensions to Google, and they appeared to have been removed from the Chrome Web Store at the time of publication. Affected users were advised to alert administrators and change passwords.
Socket uncovers Chrome extensions targeting HR and ERP platforms
Socket identified five malicious Chrome Web Store extensions masquerading as tools for Workday, NetSuite, and SAP SuccessFactors, with more than 2,300 installs. The extensions stole authentication cookies, interfered with security administration pages, and in one case enabled session hijacking through attacker-supplied cookie injection.
Browser vendors remove newly identified GhostPoster extensions
By the time of reporting, Mozilla and Microsoft no longer hosted the newly identified GhostPoster extensions, and Google confirmed their removal from the Chrome Web Store. Previously installed users were still considered at risk.
LayerX identifies 17 more GhostPoster extensions
Researchers reported 17 additional malicious extensions tied to GhostPoster across the Chrome, Firefox, and Microsoft Edge stores, bringing the known total to about 840,000 installs. They also documented an evolved technique in the 'Instagram Downloader' extension that moved staging into the background script and used a bundled image as a covert payload container.
Malwarebytes-themed infostealer campaign is observed
Researchers observed a campaign from January 11 to January 15, 2026 in which threat actors distributed ZIP archives impersonating Malwarebytes installers. The files used DLL sideloading to launch a malicious CoreMessaging.dll and deploy infostealers targeting browser credentials and cryptocurrency wallets.
Koi Security first discloses the GhostPoster campaign
In December 2025, Koi Security publicly disclosed the GhostPoster browser-extension campaign, which hid malicious JavaScript in image assets to monitor browsing and support fraud-related activity.
Some GhostPoster extensions appear in browser stores
LayerX reported that some browser extensions later tied to the GhostPoster campaign had been present in extension stores since 2020, indicating the activity predates its public disclosure by several years.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Threat Actors Impersonate as MalwareBytes to Attack Users and Steal Logins
cybersecuritynews.com
Open sourceCredential-stealing Chrome extensions target enterprise HR platforms
bleepingcomputer.com
Open sourceMalicious GhostPoster browser extensions found with 840,000 installs
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Browser Extensions Used for Stealthy Data Theft and Account Takeover
Researchers reported multiple **malicious browser extension** campaigns abusing official add-on ecosystems to steal data and hijack accounts. One operation tracked as **GhostPoster** hid malicious logic inside seemingly benign PNG image files, a technique used to evade typical extension review and static checks; follow-on infrastructure analysis linked the activity to at least **17 additional extensions** using the same backend and tactics, with **~840,000 installs** and some extensions active for up to **five years**. The campaign reportedly started on **Microsoft Edge** and later expanded to **Chrome and Firefox**, emphasizing stealth and long-term persistence over rapid spread. Separately, Socket researchers identified **five malicious Chrome extensions** impersonating enterprise platforms (*Workday, NetSuite, SuccessFactors*) to enable **session hijacking and account takeover**. The extensions were described as working together to **steal authentication tokens/cookies**, **block incident response** by manipulating the DOM to interfere with security administration pages, and perform **cookie injection** to take over sessions; most were removed from the Chrome Web Store but remained available via third-party download sites. In response to the broader extension abuse, **Mozilla and Microsoft** removed identified add-ons from their marketplaces, but already-installed extensions remain a risk and require **manual removal**.
Mar 21, 2026
Malicious Browser Extensions Used for Enterprise Backdoors and Session Hijacking
Security researchers reported multiple **malicious browser-extension** campaigns abusing official extension stores and search-driven lures to compromise enterprise users. Huntress documented a Chrome Web Store extension, **“NexShield – Advanced Web Guardian”** (a near-clone of *uBlock Origin Lite*), distributed via search/advertising redirection and designed to intentionally “freeze” the browser and present a fake **CrashFix** security prompt that instructs users to paste and run commands via `Win + R`; this social-engineering step results in installation of a previously undocumented Windows RAT dubbed **ModeloRAT** on domain-joined endpoints. Reporting also tied the delivery to a traffic distribution system (**KongTuke**, also tracked as **404 TDS/TAG-124** and other aliases) used to profile victims and route them to payload delivery infrastructure that has been leveraged by other criminal operations, including ransomware affiliates. Separately, Socket.dev analysis described **five coordinated Chrome extensions** targeting enterprise SaaS platforms (**Workday, NetSuite, SuccessFactors**) to enable account takeover via **session hijacking**, including continuous token theft and **bidirectional cookie injection** that can bypass MFA by replaying stolen session cookies. In parallel, Malwarebytes reported “sleeper” extension campaigns attributed to **DarkSpectre** (including **GhostPoster** and **ShadyPanda**) that turned previously benign extensions malicious after updates and used **steganography** (JavaScript hidden in extension images) to evade detection across **Edge, Chrome, and Firefox**, with large download counts and long dwell time. A separate Nextron Systems report described a related distribution pattern—malicious “free converter” apps promoted via **malicious Google ads** and made to look legitimate with **code-signing certificates**—highlighting the broader trend of search/advertising-driven initial access leading to persistent RAT deployment, though it is not the same extension-specific incident as the NexShield/CrashFix chain.
Mar 21, 2026
Malicious Chrome Extensions Steal and Inject Session Cookies to Hijack Enterprise Accounts
Researchers reported a coordinated operation involving at least five **malicious Chrome extensions** masquerading as productivity or security tools, designed to **hijack enterprise web sessions** by stealing authentication cookies/session tokens. The extensions targeted business platforms such as **Workday, NetSuite, and SAP SuccessFactors**, where possession of a valid session token can enable access without re-entering credentials; telemetry indicated some variants attempted to **exfiltrate cookies as frequently as every 60 seconds**. Prior to takedown requests to Google, the campaign was estimated to have reached **2,300+ installs**. One variant, **Software Access**, was described as particularly advanced because it supported **bidirectional cookie injection**—using Chrome APIs such as `chrome.cookies.set()` to implant stolen session cookies into an attacker-controlled browser, effectively recreating an authenticated session. Investigators noted the extensions shared **identical infrastructure patterns** despite being published under different names (including multiple under “databycloud1104”), supporting attribution to a single coordinated actor. Recommended mitigations included stricter enterprise controls over browser extensions (vetting and limiting permissions, especially cookie access), removing unnecessary add-ons, and monitoring for anomalous session activity and extension behavior to detect session hijacking attempts earlier.
Mar 21, 2026