Malicious Chrome Extensions Exposed: Stealing Business Data, Emails, and Browsing History

Post Views: 15

Malicious Chrome Extensions Exfiltrate Sensitive Data from Meta Business Suite and Gmail

A malicious Google Chrome extension, “CL Suite by @CLMasters,” has been discovered to be stealing sensitive data from users of Meta Business Suite and Business Manager. The extension, which has been installed by 33 users, is designed to scrape data from Meta Business Suite, remove verification pop-ups, and generate two-factor authentication (2FA) codes. However, it also exfiltrates TOTP codes, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor.

The extension requests broad access to meta.com and .com, and its privacy policy claims that 2FA secrets and Business Manager data remain local. However, security researcher Kirill Boychenko found that the code transmits TOTP seeds and current one-time security codes, Meta Business “People” CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.

The threat actor behind the operation has leveraged the extension to conduct data collection and exfiltration without users’ knowledge or consent. While the extension does not have capabilities to steal password-related information, the attacker could obtain such information beforehand from other sources and use the stolen codes to gain unauthorized access to victims’ accounts.

VKontakte Accounts Hijacked through Malicious Chrome Extensions

In a separate incident, Koi Security discovered that approximately 500,000 VKontakte users have had their accounts silently hijacked through Chrome extensions masquerading as VK customization tools. The malware embedded in the extensions is designed to engage in active account manipulation, automatically subscribing users to the attacker’s VK groups, resetting account settings, and maintaining persistent control.

The activity has been traced to a threat actor operating under the GitHub username 2vk, who has relied on VK’s own social network to distribute malicious payloads and build a follower base through forced subscriptions. The names of the extensions are listed as VK Styles, VK Music, Music vksaver, and VKfeed.

AiFrame Campaign Targets Gmail Users with Malicious Chrome Extensions

A coordinated campaign dubbed AiFrame has been discovered, where a cluster of 32 browser add-ons advertised as artificial intelligence (AI) assistants for summarization, chat, writing, and Gmail assistance are being used to siphon sensitive data. These extensions have been collectively installed by more than 260,000 users.

Once installed, the extensions render a full-screen iframe overlay pointing to a remote domain, allowing the attackers to remotely introduce new capabilities without requiring a Chrome Web Store update. The malware also supports the capability to start speech recognition and exfiltrate the resulting transcript to the remote page.

287 Chrome Extensions Exfiltrate Browsing History

A report published by Q Continuum found a huge collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have 37.4 million installations, representing roughly 1% of the global Chrome userbase.

To ensure greater security, users and organizations are advised to use separate browser profiles for sensitive tasks and implement extension allowlisting to block malicious or non-compliant extensions.