Malicious Browser Extensions Used for Enterprise Backdoors and Session Hijacking
Security researchers reported multiple malicious browser-extension campaigns abusing official extension stores and search-driven lures to compromise enterprise users. Huntress documented a Chrome Web Store extension, “NexShield – Advanced Web Guardian” (a near-clone of uBlock Origin Lite), distributed via search/advertising redirection and designed to intentionally “freeze” the browser and present a fake CrashFix security prompt that instructs users to paste and run commands via Win + R; this social-engineering step results in installation of a previously undocumented Windows RAT dubbed ModeloRAT on domain-joined endpoints. Reporting also tied the delivery to a traffic distribution system (KongTuke, also tracked as 404 TDS/TAG-124 and other aliases) used to profile victims and route them to payload delivery infrastructure that has been leveraged by other criminal operations, including ransomware affiliates.
Separately, Socket.dev analysis described five coordinated Chrome extensions targeting enterprise SaaS platforms (Workday, NetSuite, SuccessFactors) to enable account takeover via session hijacking, including continuous token theft and bidirectional cookie injection that can bypass MFA by replaying stolen session cookies. In parallel, Malwarebytes reported “sleeper” extension campaigns attributed to DarkSpectre (including GhostPoster and ShadyPanda) that turned previously benign extensions malicious after updates and used steganography (JavaScript hidden in extension images) to evade detection across Edge, Chrome, and Firefox, with large download counts and long dwell time. A separate Nextron Systems report described a related distribution pattern—malicious “free converter” apps promoted via malicious Google ads and made to look legitimate with code-signing certificates—highlighting the broader trend of search/advertising-driven initial access leading to persistent RAT deployment, though it is not the same extension-specific incident as the NexShield/CrashFix chain.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Microsoft documents CrashFix as an escalation in ClickFix tradecraft
Microsoft later characterized CrashFix as a notable escalation of ClickFix-style social engineering and described additional post-compromise behavior, including native-command reconnaissance and delivery of a ZIP containing a Python payload and interpreter with scheduled-task persistence.
CrashFix chain is found delivering the new ModeloRAT malware
Researchers said the CrashFix infection flow used living-off-the-land tools and staged PowerShell payloads to profile hosts, perform anti-analysis checks, and selectively deploy a previously undocumented Python-based Windows RAT called ModeloRAT, especially on domain-joined systems.
Huntress discloses CrashFix campaign using NexShield extension
Huntress reported an active KongTuke campaign using a malicious Chrome Web Store extension named NexShield, a near-clone of uBlock Origin Lite, to intentionally freeze browsers and display fake crash-recovery prompts. The lures coerced victims into pasting and running attacker-supplied commands from the Windows Run dialog.
Malicious HR/ERP extensions reach about 2,300 Chrome Web Store users
The five enterprise-themed malicious extensions were reported as available through the Chrome Web Store and collectively downloaded by roughly 2,300 users, indicating meaningful exposure among enterprise users.
Socket identifies five Chrome extensions targeting HR and ERP platforms
Socket.dev analysts uncovered a coordinated campaign of five malicious Chrome extensions impersonating enterprise productivity tools for platforms such as Workday, NetSuite, and SAP SuccessFactors. The extensions stole authentication cookies, supported cookie injection for session hijacking, and blocked access to key security administration pages.
Browser vendors remove DarkSpectre-linked malicious extensions
Mozilla and Microsoft removed identified malicious add-ons from their stores, and Google confirmed removal from the Chrome Web Store, though already-installed extensions could remain active until manually uninstalled.
Researchers link 17 more extensions to DarkSpectre activity
Follow-on research attributed 17 additional browser extensions to the same DarkSpectre-linked activity cluster, bringing the total to extensions with more than 840,000 downloads, some active for up to five years.
ShadyPanda extensions turn malicious after years of benign behavior
In the ShadyPanda campaign, browser extensions that had behaved normally for years were updated to begin tracking browsing activity and executing malicious code in users' browsers.
GhostPoster expands from Edge to Chrome and Firefox
The GhostPoster extension campaign later broadened to Chrome and Firefox, publishing add-ons through official browser stores and refining its payload-hiding methods to decode and decrypt malicious code at runtime.
GhostPoster campaign begins targeting Microsoft Edge users
Malicious browser extensions associated with the GhostPoster activity reportedly first appeared on Microsoft Edge, using benign utility themes and later evolving steganographic techniques to hide JavaScript payloads in image assets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
CrashFix attack hijacks browser failures to deliver ModelRAT malware via fake Chrome extension | CSO Online
csoonline.com
Open sourceFake browser crash alerts turn Chrome extension into enterprise backdoor - Help Net Security
helpnetsecurity.com
Open sourceFirefox joins Chrome and Edge as sleeper extensions spy on users | Malwarebytes
malwarebytes.com
Open source5 Malicious Chrome Extensions Attacking Enterprise HR and ERP Platforms for Complete Takeover
cybersecuritynews.com
Open sourceCrashFix Chrome Extension Delivers ModeloRAT Using ClickFix-Style Browser Crash Lures
thehackernews.com
Open sourceFive Chrome extensions caught hijacking enterprise sessions | CSO Online
csoonline.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Browser Extensions Abusing Enterprise Platforms and Ad Fraud at Scale
Security researchers reported multiple **malicious browser extension** operations abusing official add-on stores. Socket identified five Chrome Web Store extensions impersonating productivity/security tools for **Workday, NetSuite, and SAP SuccessFactors**, installed over 2,300 times, that performed credential theft and session abuse via **cookie exfiltration**, **cookie injection for session hijacking**, and **DOM manipulation** to block security/incident-response administration pages; the extensions appeared under different publisher names but shared code structure, targeting logic, and infrastructure, indicating coordinated activity. Separately, LayerX documented continued activity in the **GhostPoster** campaign across Chrome, Firefox, and Edge, adding 17 more extensions with a combined ~840,000 installs. The extensions concealed malicious JavaScript in image assets (e.g., logo files) to fetch an obfuscated payload that monitored browsing, planted a backdoor, hijacked affiliate links, and injected invisible iframes to drive **ad/click fraud**; LayerX assessed the operation likely originated in the Edge ecosystem and later expanded, with some extensions reportedly present since 2020, suggesting long-lived persistence despite prior public exposure by Koi Security.
Mar 21, 2026
Malicious Browser Extensions Used for Stealthy Data Theft and Account Takeover
Researchers reported multiple **malicious browser extension** campaigns abusing official add-on ecosystems to steal data and hijack accounts. One operation tracked as **GhostPoster** hid malicious logic inside seemingly benign PNG image files, a technique used to evade typical extension review and static checks; follow-on infrastructure analysis linked the activity to at least **17 additional extensions** using the same backend and tactics, with **~840,000 installs** and some extensions active for up to **five years**. The campaign reportedly started on **Microsoft Edge** and later expanded to **Chrome and Firefox**, emphasizing stealth and long-term persistence over rapid spread. Separately, Socket researchers identified **five malicious Chrome extensions** impersonating enterprise platforms (*Workday, NetSuite, SuccessFactors*) to enable **session hijacking and account takeover**. The extensions were described as working together to **steal authentication tokens/cookies**, **block incident response** by manipulating the DOM to interfere with security administration pages, and perform **cookie injection** to take over sessions; most were removed from the Chrome Web Store but remained available via third-party download sites. In response to the broader extension abuse, **Mozilla and Microsoft** removed identified add-ons from their marketplaces, but already-installed extensions remain a risk and require **manual removal**.
Mar 21, 2026
Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing *trusted distribution channels*—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver **remote access trojans (RATs)** or **information stealers**. Huntress reported a malvertising-driven fake ad blocker extension, **NexShield**, that intentionally forces Chrome/Edge into a crash/DoS state by looping `chrome.runtime` port connections; on restart it displays a fake “security warning” and uses a **ClickFix-style** social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based **ModeloRAT** in corporate environments. Separately, Trend Micro described **Evelyn Stealer** delivered via a trojanized **Visual Studio Code extension** that drops a malicious `Lightshot.dll` side-loaded by legitimate *Lightshot* (`Lightshot.exe`), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised. South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented **Remcos RAT** distributed via fake installers masquerading as *VeraCrypt* and via gambling-related “lookup” tools, using multi-stage obfuscated **VBS/PowerShell** chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “**Operation Poseidon**” to the **Konni APT**, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., `ad.doubleclick.net` parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an **EndRAT** variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., `ez2convertapp[.]com`, `convertyfileapp[.]com`), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
Mar 21, 2026