108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Key Points:

• A campaign involving 108 malicious Google Chrome extensions has been identified, designed to steal user data and inject ads by communicating with the same command-and-control infrastructure.
• Approximately 20,000 users are affected, with extensions masquerading as legitimate tools while capturing sensitive information and enabling browser-level abuse.
• Immediate removal of the extensions is recommended, along with logging out of all Telegram Web sessions.

Technical Details: The malicious extensions utilize OAuth2 to steal Google account identities and contain a universal backdoor that opens arbitrary URLs upon browser startup. The backend for these extensions is hosted at IP address 144.126.135[.]238.

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1070.001 - Indicator Removal on Host: File Deletion (Defense Evasion)

IOCs Mentioned:

• IP Address: 144.126.135[.]238

This summary highlights the critical aspects of the threat posed by these malicious Chrome extensions and outlines necessary actions for affected users to mitigate risk.