108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
Summary
Hide ▲
Show ▼
108 malicious Google Chrome extensions were found to use the same C2 infrastructure to steal credentials, sessions, and browsing data while injecting ads and arbitrary JavaScript into visited pages. The activity matters because the extensions had about 20,000 installs and could manipulate browsing sessions across Google Chrome users at scale. Several add-ons also stripped security headers, exfiltrated Telegram Web sessions, and opened attacker-controlled URLs. The shared backend was hosted at 144.126.135[.]238, indicating coordinated malicious operation rather than isolated add-on abuse.
Related Happenings
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Timeline
-
14.04.2026 11:35 2 articles · 2mo ago
Researchers disclose 108 malicious Google Chrome extensions sharing one backend
Initial DisclosureResearchers identified 108 malicious Google Chrome extensions published under five publisher identities and tied to the same command-and-control backend at 144.126.135[.]238; the extensions stole Google account identity and Telegram Web data, exfiltrated browsing information, injected ads and arbitrary JavaScript into visited pages, stripped security headers on YouTube and TikTok, and used a universal backdoor to open attacker-controlled URLs.
Show sources
- 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users — thehackernews.com — 14.04.2026 11:35
- Over 100 Chrome extensions in Web Store target users accounts and data — www.bleepingcomputer.com — 14.04.2026 23:33