Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs

May 22, 2025, 11:30 a.m.

Description

A campaign targeting the Google Chrome Web Store has deployed over 100 malicious browser extensions masquerading as legitimate tools like VPNs, AI assistants, and crypto utilities. These extensions, while offering some promised functionality, secretly connect to threat actor infrastructure to steal user information and execute remote scripts. They can modify network traffic, deliver ads, perform redirections, and act as proxies. The campaign, discovered by DomainTools researchers, involves numerous fake domains promoting these tools. The extensions request permissions that enable cookie theft, DOM-based phishing, and dynamic script injection. Risks include account hijacking, data theft, and browsing activity monitoring. Some extensions remain on the Chrome Web Store despite Google's removal efforts.

External References

https://www.bleepingcomputer.com/news/security/data-stealing-chrome-extensions-impersonate-fortinet-youtube-vpns/
https://otx.alienvault.com/pulse/682f07b89e80683352ba4d5a
Tags
data theft
browser security
malicious domains
chrome extensions
2025-05-22
google web store
remote script execution
cookie stealing
vpn impersonation

Date

  • Created: May 22, 2025, 11:17 a.m.
  • Published: May 22, 2025, 11:17 a.m.
  • Modified: May 22, 2025, 11:30 a.m.

Indicators

  • youtube-vision.world
  • youtube-vision.com
  • workfront-plus.com
  • whale-alerts.org
  • whale-alert.life
  • soul-vpn.com
  • similar-net.com
  • raccoon-vpn.world
  • orchid-vpn.com
  • madgicxads.world
  • madgicx-plus.com
  • irontunnel.world
  • iron-tunnel.com
  • infograph.top
  • fortivnp.com
  • forti-vpn.com
  • flight-radar.life
  • earthvpn.top
  • deepseek-ai.link
  • debank.sbs
  • debank.click
  • debank-extension.world
  • calendlydocker.com
  • calendlydaily.world
  • calendly-director.com
Download all indicators here!

Attack Patterns