Full Report
Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control (C2) infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into every web page visited. According to Socket, the extensions are published
Analysis Summary
# Tool/Technique: Malicious Google Chrome Extensions Cluster (2026 Campaign)
## Overview
A large-scale campaign involving 108 malicious Google Chrome extensions distributed via the Chrome Web Store. Under the guise of utility tools (Telegram clients, games, translators), these extensions facilitate data exfiltration, session hijacking, and browser-level abuse including ad injection and security header stripping.
## Technical Details
- **Type**: Malware (Browser Extension / Spyware / Adware)
- **Platform**: Google Chrome / Web Browsers
- **Capabilities**: Credential harvesting (OAuth2), session theft (Telegram), JavaScript injection, security header removal, and traffic proxying.
- **First Seen**: Reported April 2026 (Campaign active late 2025/early 2026).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1176 - Browser Extensions
- **TA0006 - Credential Access**
- T1539 - Steal Web Session Cookie
- T1555 - Credentials from Web Browsers
- **TA0007 - Discovery**
- T1082 - System Information Discovery (User Identities)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols
- **TA0009 - Collection**
- T1185 - Browser Session Hijacking
## Functionality
### Core Capabilities
- **Identity Theft**: 54 extensions specifically capture Google account identity details (email, full name, profile picture, and account ID) via OAuth2 interactions.
- **Session Exfiltration**: Periodically (every 15 seconds) steals Telegram Web `user_auth` tokens and session data.
- **Arbitrary URL Injection**: Includes a universal backdoor to force-open attacker-specified URLs upon browser startup.
- **Ad/Script Injection**: Injects arbitrary JavaScript and gambling overlays into every visited web page.
### Advanced Features
- **Security Header Stripping**: Uses the `declarativeNetRequest` API to remove Content Security Policy (CSP), X-Frame-Options, and CORS headers from sites like YouTube and TikTok to facilitate unauthorized content overlays.
- **Session Overwriting**: Capable of overwriting `localStorage` with attacker-supplied data to hijack active Telegram sessions.
- **Traffic Proxying**: Routes all user translation requests through the attacker’s C2 server for data harvesting.
## Indicators of Compromise
- **File Names (Extension IDs)**:
- `obifanppcpchlehkjipahhphbcbjekfa` (Telegram Multi-account)
- `mdcfennpfgkngnibjbpnpaafcjnhcjno` (Web Client for Telegram - Teleside)
- `akebbllmckjphjiojeioooidhnddnplj` (Formula Rush Racing Game)
- **Network Indicators**:
- `144.126.135[.]238` (Central C2 Infrastructure)
- **Publisher Identities**:
- Yana Project
- GameGen
- SideGames
- Rodeo Games
- InterAlt
## Associated Threat Actors
- **Unknown**: Presence of Russian-language comments in the source code suggests potential Eastern European origin or development.
## Detection Methods
- **Signature-based detection**: Scanning local Chrome extension directories for the specific Extension IDs listed above.
- **Behavioral detection**:
- Monitoring for unauthorized modifications to `localStorage` related to messaging applications.
- Identification of unexpected `declarativeNetRequest` API calls that modify browser security headers.
- Detecting frequent (15-second interval) POST requests to known malicious IP space.
## Mitigation Strategies
- **Prevention**:
- Implement a "Block by Default" policy for browser extensions in enterprise environments.
- Use Google Chrome Enterprise to enforce an allowed-list of verified extensions.
- **Hardening**:
- Educate users on the risks of third-party "client" extensions for sensitive services like Telegram.
- Regularly audit "Active Sessions" in Telegram and Google account security settings to terminate unrecognized devices.
## Related Tools/Techniques
- **Browser Hijackers**: Similar to "The Great Suspender" or "CamoGraph" malicious updates.
- **Ad-Injecting Malware**: Shared techniques with historical clusters like "Stantinko."