Socket's Threat Research Team uncovered a coordinated campaign of 108 malicious Chrome extensions tied to a shared C2 infrastructure at cloudapi[.]stream. Published under five fake identities with ~20k installs, the extensions collectively steal Google account identities via OAuth2, exfiltrate Telegram Web sessions every 15 seconds, inject gambling overlays into YouTube and TikTok, strip security headers (CSP, X-Frame-Options), and include a universal backdoor that opens operator-specified URLs on every browser start. The campaign is operated as a Malware-as-a-Service platform with a payment portal, PostgreSQL backend, and Strapi CMS. Code comments in Russian and shared OAuth2 project IDs across all 54 identity-stealing extensions point to a single operator. Takedown requests have been submitted to Google. Remediation steps and IOCs are provided for both end users and security teams.
Table of contents
Legitimate on the Surface #Telegram Session Theft #Google Account Identity Harvesting #Universal Backdoor: loadInfo() #innerHTML Injection #Security Header Bypass via declarativeNetRequest #Translation Proxy #C2 Infrastructure #Chrome Web Store Policy Violations #Attribution #Impact #Outlook and Recommendations #MITRE ATT&CK #Indicators of Compromise (IOCs) #1 Comment
Sort: