More than 100 malicious Chrome extensions form a coordinated campaign that steals Google OAuth2 bearer tokens, harvests account data, deploys backdoors, and conducts ad fraud. Researchers traced the command-and-control infrastructure to a Contabo VPS and linked the operation to a suspected Russian MaaS; users should check and remove any matching extension IDs. #GoogleOAuth2 #TelegramWeb #Contabo #ChromeWebStore #Socket
Keypoints
- Over 100 Chrome extensions were found to be part of a coordinated malicious campaign.
- Extensions were published under five different publisher identities across multiple categories.
- Many extensions steal Google OAuth2 bearer tokens and harvest Google account data via chrome.identity.getAuthToken.
- Some extensions include startup backdoors that fetch remote commands and one actively steals and swaps Telegram Web sessions.
- Socket traced the C2 to a Contabo VPS, identified signs of a Russian MaaS operation, and advised users to uninstall listed extension IDs.