Cybersecurity researchers have discovered a new campaign where a cluster of 108 **Google Chrome** extensions communicates with the same command-and-control (C2) infrastructure. The extensions' goal is collecting user data and enabling browser-level abuse by injecting ads and arbitrary JavaScript code into visited web pages. According to **Socket**, the extensions (complete list [here](https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2#:~:text=Chrome%20Extension%20IDs)) are published under five distinct publisher identities – **Yana Project**, **GameGen**, **SideGames**, **Rodeo Games**, and **InterAlt**. Collectively they have amassed about 20,000 installs in the **Chrome Web Store**. "All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator," security researcher **Kush Pandya** [said](https://socket.dev/blog/108-chrome-ext-linked-to-data-exfil-session-theft-shared-c2) in an analysis. Of these, 54 add-ons steal **Google** account identity via OAuth2, 45 extensions contain a universal backdoor that opens arbitrary URLs as soon as the browser is started, and the remaining ones engage in a variety of malicious behaviors: * Exfiltrate **Telegram Web** sessions every 15 seconds * Strip **YouTube** and **TikTok** security headers (i.e., Content Security Policy, X-Frame-Options, and CORS) and inject gambling overlays and ads * Inject content scripts into every page the user visits * Proxy all translation requests through the threat actor's server  ### Masquerading as Legitimate Tools To appear legitimate, the identified extensions pose as **Telegram** sidebar clients, slot machine and Keno games, **YouTube** and **TikTok** enhancers, text translation tools, and page utilities. The advertised functionality is diverse, aiming to cast a wide net, while sharing the same backend. However, malicious code running in the background captures session information, injects arbitrary scripts, and opens URLs of the attacker's choosing.  ### Examples of Malicious Extensions Some of the identified extensions include: * **Telegram Multi-account** (ID: obifanppcpchlehkjipahhphbcbjekfa): Extracts the `user_auth` token used by **Telegram Web** and exfiltrates the data to a remote server. It can also overwrite `localStorage` with threat actor-supplied session data and force-load the messaging application, effectively replacing the victim's active **Telegram** session. * **Web Client for Telegram - Teleside** (ID: mdcfennpfgkngnibjbpnpaafcjnhcjno): Strips **Telegram's** security headers and injects scripts to steal **Telegram** sessions. * **Formula Rush Racing Game** (ID: akebbllmckjphjiojeioooidhnddnplj): Steals the user's **Google** account identity, including email, full name, profile picture URL, and **Google** account identifier when the victim clicks the sign-in button. "Five extensions use **Chrome's** `declarativeNetRequest` API to strip security headers from target sites before the page loads," **Socket** said. "All 108 malicious extensions share the same backend, hosted at 144.126.135[.]238." ### Attribution and Remediation The identity of the actors behind these policy-violating extensions is currently unknown. However, analysis of the source code has revealed Russian language comments across several add-ons. Users who have installed any of these extensions are strongly advised to remove them immediately and log out of all **Telegram Web** sessions from the **Telegram** mobile app.