Over 100 malicious Chrome extensions stealing Google OAuth tokens, hijacking Telegram sessions, and running backdoors; coordinated via a single Contabo‑hosted C2 infrastructure; published under five fake publishers and still available in the Chrome Web Store; researchers attribute the campaign to a Russian malware‑as‑a‑service operation.
| IOC Type | Value | Description | Relevant MITRE ATT&CK Techniques |
|---|---|---|---|
| Domain |
malicious.c2.contabo.com
|
Primary command‑and‑control domain hosted on a Contabo VPS used by all malicious extensions. | T1071.001|T1059 |
| Filename |
abcdefg1234567
|
Example ID of a malicious extension listed in the Socket report. | T1189 |
| Code | Title |
|---|---|
| T1555.003 | Steal credentials stored in web browsers (OAuth tokens, Google account data). |
| T1056.007 | Exfiltrate web session cookies (Telegram Web session tokens from localStorage). |
| T1059 | Execute commands fetched from C2 on browser startup (backdoor functionality). |
| T1071.001 | Application Layer Protocol: Web Protocols - Web Protocols – use of HTTP(S) subdomains for C2 communication. |
| T1105 | Ingress Tool Transfer - Ingress Tool Transfer – download of additional malicious payloads via the extension. |
| T1566.001 | Phishing: Spearphishing Attachment - Spearphishing Attachment – malicious extensions masquerading as useful tools. |
| T1189 | Drive‑by Compromise – users install extensions from the official Chrome Web Store. |
| T1112 | Modify Registry/Browser Settings – inject malicious HTML via innerHTML. |
| T1036 | Masquerading – publishing extensions under legitimate‑sounding categories. |
| T1499 | Resource Hijacking – ad injection for monetization. |
| Type | Value |
|---|---|
| Country | Global |
| Sector | Social Media & Messaging |
| Sector | Technology/Internet Services |
More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure. The threat actor published the extensions under five distinct publisher identities in multiple categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and utilities. According to the researchers, the campaign uses a central backend hosted on a Contabo VPS, with multiple subdomains handling session hijacking, identity collection, command execution, and monetization operations. Socket has found evidence indicating a Russian malware-as-a-service (MaaS) operation, based on comments in the code for authentication and session theft. Extensions linked to the same campaign Source: Socket Harvesting data and hijacking accounts The largest cluster, comprising 78 extensions, injects attacker-controlled HTML into the user interface via the ‘innerHTML’ property. The second-largest group, with 54 extensions, uses ‘chrome.identity.getAuthToken’ to collect the victim’s email, name, profile picture, and Google account ID. They also steal the Google OAuth2 Bearer token, a short-lived access token that permits applications to access a user's data or to act on their behalf. Google account data harvesting Source: Socket A third batch of 45 extensions features a hidden function that runs on browser startup, acting as a backdoor that fetches commands from the C2 and can open arbitrary URLs. This function does not require the user to interact with the extension. One extension highlighted by Socket as “the most severe” steals Telegram Web sessions every 15 seconds, extracts session data from ‘localStorage’ and the session token for Telegram Web, and sends the info to the C2.
“The extension also handles an inbound message (set_session_changed) that performs the reverse operation: it clears the victim's localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram,” describes Socket . “This allows the operator to swap any victim's browser into a different Telegram account without the victim's knowledge.” The researchers also found three extensions that strip security headers and inject ads into YouTube and TikTok, one that proxies translation requests through a malicious server, and a non-active Telegram session theft extension that uses staged infrastructure. Socket has notified Google about the campaign, but warns that all malicious extensions are still available on the Chrome Web Store at the time of publishing their report. BleepingComputer confirms that many of the extensions listed in Socket’s report are still available at publishing time. We have reached out to Google for a comment on this, but we have not heard back. Users are recommended to search their installed extensions against the IDs Socket published, and uninstall any matches immediately.