Hackers Use 108 Chrome Extensions to Steal User Data Through Shared C2 Infrastructure

Home Cyber Attack News Hackers Use 108 Chrome Extensions to Steal User Data Through Shared C2... A widespread cyber espionage campaign leveraging 108 malicious Google Chrome extensions. According to a recent report by Socket, these extensions are explicitly designed to steal sensitive user data and hijack active web sessions. The attackers manage this extensive operation through a highly organized, shared Command and Control (C2) infrastructure. This centralized setup makes it significantly easier for threat actors to scale their data theft efforts across thousands of potential victims without needing to build new backends for every tool. Rogue Extensions Funnel User Data Often disguised as legitimate productivity tools, utility apps, or browser enhancements, these rogue extensions trick users into downloading them. Socket’s AI scanner flagged extension obifanppcpchlehkjipahhphbcbjekfa as malware, citing session exfiltration and account takeover behavior (source: Socket) Once installed, their true malicious intent is activated, hidden within the background scripts. The malware silently monitors web browsing activity and harvests critical personal and corporate information. Because the attackers rely on a shared C2 network, all 108 extensions funnel their stolen data back to the same group of malicious servers. This shared backend allows the hackers to efficiently update their malicious payloads, issue new commands, and process massive amounts of stolen information simultaneously. The primary objective of this coordinated campaign is data exfiltration and session theft. The extensions are programmed to copy browser cookies and active session tokens silently, and to save login credentials. Stealing session tokens is a particularly dangerous and highly effective tactic because it allows hackers to bypass multi-factor authentication (MFA) completely. Armed with a valid session token, an attacker can directly access secure accounts, including corporate email, financial dashboards, and internal company portals, without ever needing the user’s actual password. Chrome Web Store listings reveal three campaign-linked developer URLs: top[.]rodeo, webuk[.]tech, and interalt[.]net.(source : socket ) This presents a critical risk to enterprise environments, where a single compromised browser can lead to a devastating network breach. To evade detection, the hackers behind these extensions utilize various stealth techniques. The malicious code is often heavily obfuscated to hide its true purpose from automated security scanners. In many cases, extensions delay the execution of their data-stealing functions to bypass initial security checks during installation. Furthermore, the shared C2 infrastructure frequently changes its domain names and IP addresses, complicating security teams’ efforts to block malicious network traffic permanently. Shodan shows 144[.]126[.]135[.]238 hosted on Contabo with nine open ports, including Strapi (1337) and PostgreSQL (5432) (source:Socket) Mitigating this browser-based threat requires proactive security management. According to Socket research, organizations should immediately audit all Chrome extensions installed on corporate devices and enforce strict enterprise policies that only allow pre-approved, vetted extensions. Individual users must regularly review their browser add-ons and delete any suspicious or unused ones. Additionally, network administrators should actively monitor outbound network traffic for connections to unrecognized servers and deploy endpoint protection solutions that detect abnormal data exfiltration from web browsers. Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News Hackers Use Fake Proxifier Installer on GitHub to Spread ClipBanker Crypto-Stealing Malware Cyber Attack News Rockstar’s GTA Game Hacked – Attackers published 78.6 Million Records Online Cyber Security News Hackers Abuse GitHub and Jira Notifications to Deliver Phishing Through Trusted SaaS Channels Top 10 Top 10 Best User Access Management Tools in 2026 April 4, 2026 Top 10 Best VPN For Chrome in 2026 April 4, 2026 20 Best Application Performance Monitoring Tools in 2026 April 3, 2026 Top 10 Best VPN For Linux In 2026 April 3, 2026 10 Best VPN For Privacy In 2026 April 2, 2026