108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
Summary
Hide ▲
Show ▼
108 malicious Google Chrome extensions were found to use the same C2 infrastructure to steal credentials, sessions, and browsing data while injecting ads and arbitrary JavaScript into visited pages. The activity matters because the extensions had about 20,000 installs and could manipulate browsing sessions across Google Chrome users at scale. Several add-ons also stripped security headers, exfiltrated Telegram Web sessions, and opened attacker-controlled URLs. The shared backend was hosted at 144.126.135[.]238, indicating coordinated malicious operation rather than isolated add-on abuse.
Related Happenings
REMUS infostealer browser-session and password-manager collection expansion
Malware Activity
First: 15.05.2026 17:02
Last: 15.05.2026 17:02
Sources 1
About this happening:
**REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
REMUS infostealer browser-session and password-manager collection expansion
Malware ActivityAbout this happening: **REMUS** expanded its **session-theft** and **password-manager** collection capabilities, increasing the malware’s ability to capture authenticated access and browser-side data....
LofyGang Minecraft LofyStealer campaign
Campaign
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
How related:
Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure.
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignHow related: Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure.
About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Timeline
-
14.04.2026 11:35 2 articles · 1mo ago
Researchers disclose 108 malicious Google Chrome extensions sharing one backend
Initial DisclosureResearchers identified 108 malicious Google Chrome extensions published under five publisher identities and tied to the same command-and-control backend at 144.126.135[.]238; the extensions stole Google account identity and Telegram Web data, exfiltrated browsing information, injected ads and arbitrary JavaScript into visited pages, stripped security headers on YouTube and TikTok, and used a universal backdoor to open attacker-controlled URLs.
Show sources
- 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users — thehackernews.com — 14.04.2026 11:35
- Over 100 Chrome extensions in Web Store target users accounts and data — www.bleepingcomputer.com — 14.04.2026 23:33