108 Chrome Extensions Stole Google Identities and Telegram Sessions
Researchers uncovered a coordinated campaign involving 108 malicious Chrome extensions on the Chrome Web Store that collectively reached about 20,000 installs and were published under five separate publisher identities. The extensions posed as legitimate tools and games but were tied to a shared command-and-control infrastructure, including cloudapi[.]stream and backend systems hosted at 144.126.135[.]238. Investigators linked the operation through reused code, shared privacy-policy artifacts, common Google Cloud project numbers across 54 OAuth-enabled extensions, and Russian-language comments, indicating a single operator or centrally managed service.
The extensions were found stealing Google account identity data, browsing information, and Telegram Web sessions, while some also injected ads, inserted arbitrary JavaScript into visited pages, stripped security headers from sites such as YouTube, TikTok, and Telegram, or used a startup backdoor to open arbitrary URLs. The most severe sample, Telegram Multi-account, reportedly exfiltrated Telegram Web session data every 15 seconds and could enable full account takeover by replacing a victim's local session with attacker-supplied data. Researchers said the infrastructure appeared consistent with a malware-as-a-service model and warned that many of the extensions were still live when reported; affected users were urged to remove the extensions and revoke active Telegram Web sessions.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Socket submits takedown requests while extensions remain live
At the time of publication, the malicious extensions were still available in the Chrome Web Store. Socket said it had submitted takedown requests to the Chrome Web Store security team and Google Safe Browsing.
Socket reports Telegram session theft and account takeover capability
Socket disclosed that the most severe sample, Telegram Multi-account, repeatedly exfiltrates Telegram Web session data every 15 seconds and can enable full account takeover by replacing a victim's local session with attacker-supplied data. Researchers also reported that dozens of extensions harvested Google identity data via OAuth2 and some included startup backdoors or content-injection features.
Socket links campaign to centralized operator and MaaS-style backend
Researchers connected the extensions to a single operator using shared backend infrastructure, reused code and privacy-policy artifacts, common Google Cloud project numbers across OAuth-enabled extensions, and Russian-language comments. The infrastructure appeared to support a malware-as-a-service model with centralized access to stolen identities and sessions.
Socket uncovers 108-extension Chrome campaign tied to shared C2
Socket's Threat Research Team identified a coordinated campaign involving 108 malicious Chrome extensions published under five Chrome Web Store publisher identities and linked through shared command-and-control infrastructure. The extensions collectively had about 20,000 installs and blended benign-looking features with data theft, session hijacking, ad injection, and arbitrary URL opening behavior.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Massive Chrome Extension Scam Exposes 20,000 Users to Data Theft
techrepublic.com
Open sourceOver 100 malicious Chrome extensions steal tokens, deploy backdoors | brief | SC Media
scworld.com
Open sourceOver 100 Malicious Chrome Extensions Steal Google Tokens, Hijack Telegram Sessions, and Inject Ads - gHacks Tech News
ghacks.net
Open sourceHackers Use 108 Chrome Extensions to Steal User Data Through Shared C2 Infrastructure
cybersecuritynews.com
Open source108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users
thehackernews.com
Open sourceOver 100 Chrome extensions in Web Store target users accounts and data
bleepingcomputer.com
Open source108 Chrome Extensions Linked to Data Exfiltration and Sessio...
socket.dev
Open sourceMalicious Chrome Extensions Steal Google & Telegram Data
bitdefender.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious Chrome Extensions Used for Social Media Account Hijacking
Security researchers reported multiple **malicious Google Chrome extensions** being used to hijack social media accounts by abusing the trust and permissions granted to browser add-ons. One campaign targeted Meta Business users with an extension named **“CL Suite by @CLMasters”** (`jkphinfhmfkckkcnifhjiplhfoiefffl`) that requested broad access to `meta.com` and `facebook.com` and exfiltrated Facebook Business Manager authentication material and analytics. Analysis indicated the extension captured the **TOTP seed** and current 6-digit 2FA code when users used its built-in “2FA generator,” then sent associated identifiers (e.g., username/email) to attacker infrastructure at **`getauth[.]pro`**, with optional forwarding to Telegram—enabling ongoing generation of valid 2FA codes and increasing the likelihood of high-value ad account takeover. A separate operation hijacked more than **500,000 VKontakte accounts** via five Chrome extensions disguised as VK customization tools (e.g., themes). The extensions manipulated accounts without consent (auto-subscribing victims to attacker-controlled groups, resetting settings periodically, and leveraging VK weaknesses to perform unauthorized actions) and could silently update to receive new malicious code. Researchers attributed the VK-focused activity to a single actor (GitHub alias **“2vk”**), and at least one extension (**VK Styles**) was removed from the Chrome Web Store after being flagged, underscoring the ongoing risk of extension-based compromise even when distributed through official marketplaces.
Mar 21, 2026
Malicious Chrome Extensions Used for Credential Theft and Website Spoofing
Security researchers reported a surge in **malicious Chrome extensions** abusing high-privilege browser permissions to steal credentials and hijack authenticated sessions. LayerX identified at least **16 ChatGPT-related extensions** that mimic legitimate productivity tools and brands, then inject scripts into `chatgpt.com` to monitor outbound web requests and **exfiltrate authorization details and session tokens** to attacker-controlled infrastructure. With stolen tokens, attackers can impersonate victims’ ChatGPT sessions and potentially access connected data sources (e.g., integrations with *Slack* and *GitHub*), expanding impact beyond the AI service itself. Separately, Varonis documented a **malware-as-a-service** browser-extension toolkit dubbed **Stanley** being sold on Russian-language cybercrime forums, marketed to enable large-scale credential theft by **showing a phishing site while the URL bar continues to display the legitimate domain**. The toolkit uses a web-based control panel to configure per-victim “source” (legitimate) and “target” (phishing) URLs, then overlays a full-screen iframe to spoof the destination site; the seller also claims “guaranteed” placement in the **Chrome Web Store**, increasing the likelihood of user installation and enterprise exposure.
Mar 21, 2026
Malicious Chrome Extensions Used for Data Theft via Ownership Transfers and Impersonation
Multiple **malicious Chrome/Chromium extensions** were identified abusing the Chrome Web Store to steal data from users and enterprises. Two previously legitimate extensions—**QuickLens** (`kdenlnncndfnhkognokgfpabgkgehodd`) and **ShotBird** (`gengfhhkjekmlejbhmmopegofnoifnjp`)—reportedly turned malicious after **ownership transfers**, enabling downstream compromise through injected code and data harvesting. In the QuickLens case, researchers reported the malicious update preserved expected functionality while adding capabilities to **strip security headers** (e.g., `X-Frame-Options`) and facilitate script injection that can bypass **Content Security Policy (CSP)** protections, expanding the attacker’s ability to make cross-domain requests and collect sensitive information. Separately, Microsoft reported a campaign of **counterfeit “AI assistant” browser extensions** distributed via the Chrome Web Store (and therefore also impacting Microsoft Edge environments that allow Chrome extensions), which allegedly affected **20,000+ enterprise tenants** and amassed roughly **900,000 installs**. These extensions impersonated legitimate AI productivity tools and harvested **ChatGPT/DeepSeek conversation histories**, visited URLs, and browsing telemetry, staging data for exfiltration to attacker-controlled infrastructure. Another Chrome Web Store threat involved a fake **imToken**-branded extension (“lmΤoken Chromophore”) that masqueraded as a benign tool but redirected victims to phishing infrastructure to steal **seed phrases and private keys**, using tactics like hardcoded remote configuration (via JSONKeeper) and decoy navigation to the legitimate `token.im` site after credential capture.
Mar 21, 2026