Two cybersecurity campaigns distributing fake browser extensions have been uncovered, using malvertising and counterfeit websites to harvest user data and hijack Meta-related accounts. The findings were reported by Bitdefender and Cybereason, who described two distinct operations targeting Facebook and Meta advertisers.
The malvertising campaign, reported by Bitdefender, pushes a rogue extension named SocialMetrics Pro that claims to unlock the blue verification tick on Facebook and Instagram profiles. Bitdefender said at least 37 malicious ads were observed.
The extension – which is hosted on a legitimate cloud service called Box – is capable of collecting session cookies from Facebook and sending them to a Telegram bot controlled by the attackers. It can also obtain the victim’s IP address by querying ipinfo.io/json.
Select variants of the rogue browser add-on have been observed using stolen cookies to interact with the Facebook Graph API to fetch additional information related to the accounts.
The end goal is to sell compromised Facebook Business and Ads accounts on underground forums or repurpose them to fuel further malvertising campaigns, creating a self-perpetuating cycle.
The campaign exhibits fingerprints typically associated with Vietnamese-speaking threat actors, who are known to adopt various stealer families to target and gain unauthorized access to Facebook accounts, a pattern Bitdefender noted as part of the broader malvertising ecosystem. The use of Vietnamese language in tutorials and source code comments has been cited as supporting this attribution.
In a separate operation, researchers described a Meta advertiser-focused campaign distributing rogue Chrome extensions via counterfeit websites posing as AI-powered ad-optimization tools for Facebook and Instagram. At the heart of the operation is a fake platform named Madgicx Plus.
Promoted as a tool to streamline campaign management and boost ROI using artificial intelligence, the extension instead delivers potentially malicious functionalities capable of hijacking business sessions, stealing credentials, and compromising Meta Business accounts, Cybereason said. Cybereason added that the extensions are promoted as productivity or ad performance enhancers, but they operate as dual-purpose malware capable of stealing credentials, accessing session tokens, or enabling account takeover.
The extensions, the first of which remains available for download from the Chrome Web Store as of writing, are listed below:
- Madgicx Plus – The SuperApp for Meta Advertisers (ID: eoalbaojjblgndkffciljmiddhgjdldh) – Published in February 2025 (28 Installs)
- Meta Ads SuperTool (ID: cpigbbjhchinhpamicodkkcpihjjjlia) – Published in March 2025 (11 Installs)
- Madgicx X Ads – The SuperApp for Meta Advertisers (ID: cpigbbjhchinhpamicodkkcpihjjjlia) – Published in March 2025 (3 Installs)
Once installed, the extension gains full access to all websites the user visits, enabling the injection of arbitrary scripts, interception and modification of network traffic, monitoring browsing activity, capturing form inputs, and harvesting sensitive data. It also prompts users to link their Facebook and Google accounts to access the service, while their identity information is covertly harvested in the background. Furthermore, the add-ons function similarly to the aforementioned fake Meta Verified extension in that it uses victims’ stolen Facebook credentials to interact with the Facebook Graph API.
“This staged approach reveals a clear threat-actor strategy: first capturing Google identity data, then pivoting to Facebook to broaden access and increase the chances of hijacking valuable business or advertising assets,” Cybereason said.