Legitimate Chrome VPN Extension Turns to Browser Spyware

Aug. 19, 2025, 9:22 p.m.

Description

A popular Chrome VPN extension, FreeVPN.One, with over 100,000 installs has transformed into spyware. Initially legitimate, the extension began capturing screenshots of users' online activities and collecting sensitive information after an update in April 2025. The spyware operates covertly, automatically taking screenshots of every webpage visited and uploading them to an attacker-controlled domain. It also exfiltrates device and location data at installation and startup. The extension's developer provided evasive responses when confronted, claiming the feature was for background scanning of suspicious domains. This incident highlights the potential risks associated with VPN services and the importance of scrutinizing even seemingly trustworthy browser extensions.

External References

https://www.infosecurity-magazine.com/news/chrome-vpn-extension-spyware
https://otx.alienvault.com/pulse/68a4af922ef70aec773db4ee
Tags
spyware
vpn
data exfiltration
chrome extension
browser security
google web store
2025-08-19
screenshot capture
freevpn.one
user privacy

Date

  • Created: Aug. 19, 2025, 5:08 p.m.
  • Published: Aug. 19, 2025, 5:08 p.m.
  • Modified: Aug. 19, 2025, 9:22 p.m.

Indicators

  • http://aitd.one/brange.php.
  • http://aitd.one/bainit.php.
  • http://aitd.one/analyze.php
Download all indicators here!

Attack Patterns

  • FreeVPN.One