14.04.2026
4 min
186
Cybersecurity researchers have uncovered a massive campaign using 108 malicious Google Chrome extensions to steal users’ credentials, browsing history, and personal information, putting at least 20,000 people at risk.
Malicious extensions targeting Google Chrome users have been identified. There are 108 malicious extensions using the same management system to gather user information, as well as to control user behavior.
These extensions were released under different developer names; specifically, Yana Project, GameGen, SideGames, Rodeo Games and InterAlt. Approximately 20 thousand installations occurred within the Chrome Web Store for these extensions.
“Each of the 108 redirects user credentials, User IDs, and browsing history to servers owned by a single operator,” explained Security Researcher Kush Pandya.
Extensions differ in function however each works based upon an identical logic. Fifty-four extensions directly target Google accounts utilizing OAuth2 to retrieve data. Additionally, forty-five extensions have a generic backdoor that automatically loads web pages at the request of the attacker as soon as it launches. The remaining extensions interfere with site operations in various ways.
Some of the functions include:
the periodic removal of Telegram sessions every fifteen (15) seconds.
the removal of protection headers on YouTube and TikTok and replacement of content.
the insertion of scripts on all pages accessed by the user.
translation proxying through the attackers’ server.
To be unobtrusive, these extensions were disguised as common utility items. Examples included Telegram clients, browser games, YouTube/TikTok enhancement apps and text translation apps. Each appeared as typical utility software however actually provided completely unique functionality.
Once installed, malicious coding begins to run in the background and performs activities such as: session interceptions, script insertions and opening of requested pages by the attacker’s server. Users do not experience these events.
Additionally, researchers demonstrated how several extensions individually operate. For instance, “Telegram Multi-Account” will extract the user_auth token and has the capability to substitute the user’s session allowing the attacker to gain unauthorized access into the account. A second extension named Teleside will disable the security features of Telegram and allow the insertion of scripting to capture session information. Finally, the Formula Rush gaming application will capture Google account information when logging in for the first time including Email, Name and User ID.
As expected we analyzed specific aspects of this event. Several extensions utilize the Chrome API to eliminate security headers from websites prior to loading them. All 108 extensions communicate through one common server with IP Address 144.126.135[.]238.
At present, the parties responsible for this malicious activity remain unknown. Nevertheless, analysis of source code revealed Russian language comments in certain extensions.
