Hidden Threats of Dual-Function Malware Found in Chrome Extensions

An unknown actor has been continuously creating malicious Chrome Browser extensions since approximately February, 2024. The actor creates websites that masquerade as legitimate services, productivity tools, ad and media creation or analysis assistants, VPN services, Crypto, banking and more to direct users to install corresponding malicious extensions on Google’s Chrome Web Store (CWS). The extensions typically have a dual functionality, in which they generally appear to function as intended, but also connect to malicious servers to send user data, receive commands, and execute arbitrary code.

Example: A DeepSeek Chrome Extension themed lure website ‘deepseek-ai[.]link’

The extensions analyzed appear to have working or partially working functionality and are commonly configured with excessive permissions to interact with every site the browser visits and retrieve and execute arbitrary code from a network of other actor controlled domains. 

While each extension was found to be relatively different, the hosting infrastructure and code structures were consistent. Multiple extensions were observed using a “onreset” event handler trick on a temporary document object model (DOM) element to execute code, likely to bypass content security policy (CSP). The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js” or for older extensions “src/pages/background/index.js.” These files were also found to typically contain the majority of the malicious functionality of the extensions.

Registration Patterns for Actor Lure Websites

Common registration patterns were observed going back to October 2024. 

• Registrar: NameSilo, LLC
• NameServer: cloudflare.com
• IP ISP: CloudFlare Inc.
• SSL Issuer Common Name: WE1
• Registrant: Domain Administrator
• Server Type:
  • cloudflare
  • proxygen-bolt
• MX Server: cloudflare.net

Additionally, the use of Facebook Tracker IDs were commonly used.

• Facebook ID
  • 2696720993868113
  • 416208351532463
  • 312497404888286
  • 993764766100733
  • 2901646833326404
  • 541163625350468
  • 965666115394891
  • 1151077320148683
  • 965666115394891

The following are a sampling of the lure websites, which cover a wide range of topics and themes. The list of identified domains are provided on GitHub.

Malicious Extensions

It’s worth noting, the extensions appear to be at least partly functional as it relates to the theme of their lure. However, in the cases where extensions interact with third party services to provide that functionality such as FortiVPN or DeepSeek AI, the extensions hard code the third party API keys into the extension code. An extremely poor security practice. 

Example 1: Lure Site of Manus AI to Install an AI Assistant Extension

Lure Domain: manusai[.]sbs Extension Name: manus-ai-free-ai-assistan Extension ID: aeibljandkelbcaaemkdnbaacppjdmom CWS:  https[:]//chromewebstore.google[.]com/detail/manus-ai-free-ai-assistan/aeibljandkelbcaaemkdnbaacppjdmom Extension Filename: aeibljandkelbcaaemkdnbaacppjdmom.crx Extension File Sha256: 3131d15ebea5eb68e636eb804b2de86cc04d8be5d1257c83f2042a391b8e9415 Actor API Domain: api.sprocketwhirl[.]top

The first things to note about the extension are the extensive permissions it attempts to grant itself in the manifest.json file.

The “background.js” script fetches and applies declarativeNetRequest rules from the backend. This allows the author to modify network requests (block, redirect, modify headers) after the extension is installed, bypassing Chrome Web Store review for those changes. This could be used for malicious redirects, ad injection, or tracking.

The background script communicates with api.sprocketwhirl[.]top, sending encrypted system information (platform, language, memory, cores, timezone, IP, country code) and receiving dynamic declarativeNetRequest rules and potentially executable code.

The content script (injected into all pages) executes arbitrary code retrieved from chrome.storage.local (report key), which was placed there by the background script after fetching it from api.sprocketwhirl[.]top.

Example 2: Lure Site of FortiVPN Client Extension

Lure Domain: forti-vpn[.]com Extension Name: fortivpn Extension ID: ccollcihnnpcbjcgcjfmabegkpbehnip CWS: https[:]//chromewebstore.google[.]com/detail/fortivpn/ccollcihnnpcbjcgcjfmabegkpbehnip Extension Filename: ccollcihnnpcbjcgcjfmabegkpbehnip.crx Extension File Sha256: f4fe36cdc9bd1f16d9385e56155aca3723a267bcdf575e925e20bb9a6526b576 Actor API Domain: api.infograph[.]top

The extension also attempts to grant itself extensive permissions as seen from its manifest.json file. 

The extension has a dual functionality in which it provides some of the advertised purpose. In this case, a browser extension based VPN service by connecting to wss[:]//leviathan.whale-alert[.]io/ws using a hardcoded API key. At the same time, however, the extension also connects to a malicious backend client wss[:]//api.infograph[.]top/api and listens for commands. It uses a websocket keep-alive mechanism to maintain connectivity to the backend server as well as sending periodic ping and report messages.

When commanded, it uses chrome.cookies.getAll({}) to retrieve all browser cookies, compresses them using pako, encodes them in Base64, and sends them back to the backend infograph[.]top server.

It can be commanded to establish a separate WebSocket connection to act as a network proxy, potentially routing the user’s traffic through malicious servers. The proxy target is provided by the backend command and also implements proxy authentication handling.

The extension fetches arbitrary scripts from an actor-controlled server. It then injects the scripts into active browser tabs by using chrome.tabs.sendMessage to the tab’s content scripts, triggering their execution within the tabs.

Additionally, the extension enables dynamic network rules via setup response from the backend that can contain declarativeNetRequest rules which are then applied, allowing the backend to modify network traffic post-install.

Example 3: Lure of SiteStats Extension

Lure Domain: sitestats[.]world Extension Name: site-stats Extension ID: fcfmhlijjmckglejcgdclfneafoehafm CWS: https[:]//chromewebstore.google[.]com/detail/site-stats/fcfmhlijjmckglejcgdclfneafoehafm?pli=1 Extension Filename: fcfmhlijjmckglejcgdclfneafoehafm.crx Extension File Sha256: d6e179dcab901e81b3340aebaa3e517bb98b09f9fea01e667e594416c10efc44 Actor API Domain: api.zorpleflux[.]top

Like the previous examples, this extension also grants itself extensive permissions and script execution on every site as seen from its manifest.json file.

The extension allows modifying network requests via rules. It is also able to make web requests, which is primarily observational in MV3, but combined with broad host permissions, it can still be used for tracking or reconnaissance.

Similar to the other extensions identified, it connects to an actor controlled backend server, api.zorpleflux[.]top, defined in the “background.iife.js” file. It also sends periodic ping and report messages to the backend server.

It is capable of setting up a secondary proxy WebSocket connection, allowing traffic routing via the user’s browser, commanded by the backend. It implements a reverse proxy functionality by handling proxied requests via fetch, compressing responses with pako, and relaying back to the backend.

The extension also conducts arbitrary script execution it receives from the backend server and uses chrome.tabs.sendMessage to send it to the content script declared in the manifest.json file for execution.

Actor API Endpoints

The extensions hardcode one of the actor’s API servers, typically in a file named “background.js” or “background.iife.js.” In the case of the malicious extension from deepseek-ai[.]link, which directs users to an installation of Chrome extension ID: “pocfdebmmcmfanifcfeeiafokecfkikj.” This extension upon installation actively communicates with another actor domain api.glimmerbloop[.]top to report installation/fingerprinting data and receive instructions/payloads.

Many of the analyzed extensions had variations in functionality and implementation of the API payload execution steps including what browser fingerprinting information was sent in the initial transaction. The following were consistent elements observed:

• Hardcoding actor API domain in “background.js” or “background.iife.js” file
• Use of HMAC with SHA-256 signing algorithm
• Use of JWT authentication
• Use of extension ID in UTF-8 bytes format as a secret key to sign the JWT payload
• Base64 encoding the payload prior to sending to the API server

In order to establish connection to the actor’s API server, the extensions create a token using the standard JWT library that combines a UUID, the extension ID, version, and country code. It then uses HMAC using SHA-256 signing algorithm before adding JWT claims to the payload (Issued At, Expiration Time). Finally, a secret key is used to sign the payload, which was consistently observed as being the UTF-8 bytes of the extension ID string. The output is then Base64 encoded using btoa() and sent to the API server as an authentication mechanism to retrieve arbitrary code to execute by the extension. 

The domain registration details of the API endpoints were found to be nearly identical to those of the malicious lure websites with the additional commonalities in website title and content.

• Website Title: SiteName
• Website Content:

A pivot on these domain registration patterns identified the domains provided at the end of this post, suspected to be owned by the actor and used by malicious extensions. Analysis of several extensions identified hard coded domains that were all found to be in the list of identified API domains, further validating the findings. 

Fake Websites and Malicious Chrome Extensions

Since at least February 2024, this malicious actor has deployed over 100 fake websites and malicious Chrome extensions with dual functionalities. Analysis revealed these extensions can execute arbitrary code from attacker-controlled servers on all visited websites, enabling credential theft, session hijacking, ad injection, malicious redirects, traffic manipulation, and phishing via DOM manipulation. Some extensions were also observed attempting to steal all browser cookies, which may lead to account compromises.

Notably, the Chrome Web Store has removed multiple of the actor’s malicious extensions after malware identification. However, the actor’s persistence and the time lag in detection and removal pose a threat to users seeking productivity tools and browser enhancements. Malware distributors such as this often exploit current trends, such as the recent DeepSeek AI media attention, to lure users into installing infected extensions, potentially gaining control over their browsing activity and sensitive data.

All users should protect themselves by exercising caution when installing extensions. Stick to the Chrome Web Store and verified developers, carefully review requested permissions, read reviews, and be wary of lookalike extensions. Keep your browser and antivirus software updated, and regularly review your installed extensions, removing any you don’t need or find suspicious. Vigilance is key to avoiding these threats.

---

IOCs on GitHub

https://github.com/DomainTools/SecuritySnacks/blob/main/2025/DualFunction-Malware-Chrome-Extensions

If the community has any additional input, please let us know.

---

Sign Up For DomainTools Investigations’ Newsletter for the Latest Research

Want more from DomainTools Investigations? Be sure to sign up for our monthly newsletter to get the latest research from the team – available on LinkedIn or email.