Security Experts:

Connect with us

Hi, what are you looking for?



Tens of Malicious Chrome Extensions Used in Global Surveillance Campaign

Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals.

Malicious Chrome extensions employed in a massive global surveillance campaign have been downloaded by millions before removal, Awake Security reveals.

The campaign, which impacted users across a large number of geographies and industry segments, exploited Internet domain registration and users’ reliance on browsers to spy on them and steal data en masse.

Awake’s investigation into this campaign revealed that the criminal activity has been abetted by Internet domain registrar CommuniGal Communication Ltd. (GalComm): 15,160 of the 26,079 reachable domains registered through GalComm are either malicious or suspicious.

Many of the 15,160 unique suspect or malicious domains identified as part of this campaign were hijacked: they were registered through GalComm immediately after they expired. Thus, the attackers could defeat detection mechanisms that look for brand new domains.

The attackers have put a lot of effort into keeping their activity hidden. Not only did they manage to bypass multiple layers of security controls within organizations, but also avoided having their domains labeled as malicious by most security solutions.

Over the past three months, Awake identified 111 malicious or fake Chrome extensions that used GalComm domains for attacker command and control infrastructure and/or as loader pages. The applications can engage in malicious activity such as taking screenshots, reading the clipboard, harvesting credential tokens, or logging user keystrokes, among others.

Seventy-nine extensions were found in the Chrome Web Store in May and Awake discovered that they gathered roughly 33 million downloads before their takedown. The security firm published TSV lists of IDs for these malicious Chrome extensions.

Awake’s security researchers discovered that the threat actor behind the activity managed to establish a persistent foothold in approximately 100 networks of organizations in the financial services, oil and gas, media and entertainment, healthcare and pharmaceuticals, retail, high-tech, higher education and government sectors.

“These campaigns have been ongoing for years while customers have deployed best in class security solutions. The research shows how attackers attempted to evade detection, but the TTPs, in this case, appears to have hit a blind spot in many traditional approaches to security—e.g. reputation engines, sandboxes and endpoint detection and response solutions,” the researchers note.

To stay undetected, the attackers implemented a filtering method where only requests coming from a broadband, cable, fiber, mobile, or similar fixed-line Internet Service Provider (ISP) type of network were directed to malicious payloads, whereas those coming from data centers, web hosting services, transit networks, VPNs, or proxies would be redirected to a benign page.

The extensions appear benign at first, but the attackers likely pushed malicious payloads to them after the clean versions were approved. In some cases, users were tricked into installing the malicious extensions from professional-looking websites, others were downloaded by previously installed adware, while some were added multiple times to the Chrome Web Store, with only a few variations.

Some of the malicious extensions would completely bypass the Chrome Web Store, through a self-contained Chromium package included in other extensions, which tricks users into defaulting to a new rogue browser when prompted at first run. Unlike Chrome, this Chromium-based browser accepts extensions from any source, not only those in the Chrome Web Store.

“These rogue browsers appeared to have been installed by existing potentially unwanted programs (PUPs) already present on the victim system. This is very effective since the rogue browsers are self-contained, meaning other than the ability to just execute a program locally, very few other permissions are necessary,” Awake explains.

Related: Google Steps Up Fight on Spam in Chrome Web Store

Related: Google Axes 500 Chrome Extensions Exfiltrating User Data

Related: Google Halts Publishing of Paid Chrome Extensions Due to Fraud

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.