Cybersecurity researchers have identified 108 malicious Google Chrome extensions linked to the same command and control infrastructure, with the add-ons used to collect user data, steal session information and inject ads and scripts into web pages, according to a technical analysis by Socket.
KEY FACTS
- Scale The extensions have about 20,000 installs in the Chrome Web Store.
- Infrastructure All 108 connect to the same backend server at 144.126.135[.]238.
- Behavior The campaign includes Google account theft, Telegram session exfiltration and browser-level script injection.
- Distribution The add-ons were published under five identities, including Yana Project, GameGen, SideGames, Rodeo Games and InterAlt.
The report said 54 extensions steal Google account identity through OAuth2, while 45 include a universal backdoor that can open arbitrary URLs when the browser starts. Others exfiltrate Telegram Web sessions every 15 seconds, strip security headers from YouTube and TikTok, inject gambling overlays and proxy translation requests through the operator’s server.
Some of the add-ons posed as Telegram sidebar clients, games, translation tools and page utilities. One example, Telegram Multi-account, extracts the user_auth token from Telegram Web and can overwrite localStorage with attacker-supplied session data, while a separate extension, Formula Rush Racing Game, steals Google account identity when the sign-in button is clicked.
Five extensions used Chrome’s declarativeNetRequest API to remove security headers before a page loaded. The report said the same backend handled all 108 extensions, and source code analysis found Russian language comments across several add-ons. The operator has not been identified.
WHY IT MATTERS
The findings show how a large group of browser extensions can be used to collect identities, hijack sessions and alter what users see online while appearing to offer normal features. Users who installed any of the extensions were advised to remove them and log out of Telegram Web sessions from the mobile app.