Coordinated Chrome-extension campaign for enterprise account takeover
Campaign
Summary
Hide ▲
Show ▼
A coordinated Chrome-extension campaign has been uncovered that steals authentication cookies, blocks security administration pages, and enables complete account takeover across enterprise-platform users. The malicious add-ons impersonate Workday, NetSuite, and SuccessFactors tools to blend into normal business workflows. The operation matters because it can preserve access while preventing defenders from using standard remediation pages. Copies also remained available outside the main browser store, extending the reach of the campaign.
Related Happenings
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Legitimate-looking Chrome extension prompt-poaching campaign
Campaign
First: 25.03.2026 13:00
Last: 25.03.2026 13:00
Sources 1
About this happening:
A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Legitimate-looking Chrome extension prompt-poaching campaign
CampaignAbout this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...
Timeline
-
16.01.2026 16:09 1 articles · 4mo ago
DataByCloud 1 and DataByCloud 2 first published
Untyped PhaseDataByCloud 1 and DataByCloud 2 were first published on August 18, 2021, becoming two of the malicious Google Chrome extensions later linked to enterprise account takeover activity.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
-
16.01.2026 16:09 2 articles · 4mo ago
Researchers disclose five malicious Chrome extensions
Initial DisclosureSecurity researchers identified five malicious Google Chrome extensions impersonating Workday, NetSuite, and SuccessFactors tools to steal authentication cookies, block administrative pages, and enable session hijacking for victim accounts; most of the add-ons had been removed from the Chrome Web Store, while Software Access remained available and copies also appeared on third-party download sites such as Softonic.
Show sources
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09
- Five Malicious Chrome Extensions Impersonate Workday and NetSuite to Hijack Accounts — thehackernews.com — 16.01.2026 16:09