• Table of Contents

By Alon Klayman & Uri Kornitzer, Team Axon

 

Introduction

In response to a recent, large-scale campaign targeting Chrome extension developers, this publication aims to provide actionable insights to help organizations detect and respond to this specific threat. Alongside an overview of the campaign and its implications, we share a curated collection of Indicators of Compromise (IOCs) and tailored threat-hunting queries. These resources are designed to empower security teams with the tools needed to identify, investigate, and mitigate risks associated with this sophisticated attack.

 

Threat Campaign Summary

On December 24, 2024, Cyberhaven, a cybersecurity firm that develops a security-focused browser extension, published a blog about a tampered version of their extension uploaded to the Chrome Web Store. This occurred following a successful phishing attack that tricked a Cyberhaven employee into granting malicious OAuth consent for access to the Google Chrome Web Store.

Following Hunters' Team Axon’s internal investigation, it was found that the tampered extension was based on a clean version but included malicious code. This code enabled command-and-control (C2) communication capabilities and facilitated credential theft, including cookie harvesting.

Shortly after Cyberhaven’s announcement, Jaime Blasco highlighted additional compromised extensions. Subsequent research by Hunters' Team Axon and other security researchers in the community (referenced below) confirmed that Cyberhaven’s tampered extension was part of a larger campaign.

Research findings indicate that this threat campaign, targeting Chrome extension developers, has been active for at least seven months and possibly longer.

Current evidence points to at least 35 additional maliciously tampered extensions and over 2.5 million potentially affected users. 

Subsequent Axon research has confirmed that this threat campaign was still active over the last few days, including a newly registered malicious domain (28.12.2024) used by a tampered Chrome extension. This highlights the urgency for organizations to act quickly and deploy detection and mitigation measures.


Technical Overview

The attack began with a phishing campaign targeting Chrome browser extension developers. While initial reports focused on Cyberhaven’s extension, other Chrome extension developers were likely targeted using the same methods.

Here is a diagram summarizing the attack flow and the campaign's consequences:

Chrome extensions threat campaign summaryFigure 1: Chrome extensions threat campaign summary

From the investigation conducted by Cyberhaven’s security team and additional online findings, the phishing emails appeared to originate from Google, falsely claiming that the recipient's extension violated Chrome Web Store policies and was at risk of removal.

Once a developer misidentified the phishing email as legitimate and clicked the embedded link for more information about the alleged policy violation, they were redirected to an OAuth consent page. The user was prompted to authenticate and grant permissions to a malicious application.

Malicious OAuth consent to application (From Cyberhaven publication)Figure 2: Malicious OAuth consent to application (From Cyberhaven publication)

The specific permissions requested by the malicious OAuth application were:
"See, edit, update, or publish your Chrome Web Store extensions, themes, apps, and licenses you have access to."

This highly targeted request appeared legitimate, as it focused exclusively on Chrome extension-related activities.

Once the malicious application obtained these permissions, the threat actor uploaded a tampered version of the victim’s Chrome extension. The malicious code added to these extensions enabled the threat actor to establish command-and-control (C2) communication to primarily steal sensitive data like cookies.

Tampered version of GraphQL Network Inspector extension  discovered by Team Axon - hardcoded malicious domain included in embedded javascript codeFigure 3: Tampered version of GraphQL Network Inspector extension  discovered by Team Axon - hardcoded malicious domain included in embedded javascript code

This well-crafted campaign operated undetected for an extended period. Further research by security experts, including Hunters’ Axon team, identified at least 90 malicious domains and 30 IP addresses associated with the campaign.

 

IOCS & Threat Hunting Queries

Hunters’ Axon team conducted focused threat research to identify additional compromised extensions and, more importantly, uncover indicators that security teams can use to detect potential victims within their organizational infrastructures. Additionally, we developed threat-hunting queries to help identify related threats using EDR telemetry.

Here are some unique IOCs identified by Team AXON:

Domains

  • chatgpt[.]forassistant[.]com
  • chatgptforsearch[.]com
  • geminiforads[.]com
  • gosiridersite[.]com
  • graphqlnetwork[.]pro
  • internetdownloadmanager[.]pro
  • openaigptforgg[.]site
  • plutonile[.]com
  • savegptforchrome[.]com
  • seasonaldroughtwatch[.]site
  • seasonalweatherdatapro[.]site
  • seasonalweatheroutlookpro[.]site
  • seasonalweatherstatspro[.]site
  • seasonalwindtracker[.]site
  • tkpartner[.]pro

IPs

  • 140[.]82[.]50[.]201
  • 149[.]28[.]71[.]39
  • 140[.]82[.]45[.]42
  • 149[.]248[.]56[.]63
  • 144[.]202[.]101[.]155

We also aggregated our IOCs with IOCs published by other security experts for ease. 

All resources are available in Axon's Rapid Response GitHub repository:

  • Main IOCs: A collection of Indicators of Compromise (IOCs), including those published by other security researchers and unique IOCs identified by Hunters’ AXON team.
    View Main IOCs

  • Complementary IOCs: A combination of lower-fidelity/potentially noisy IOCs and IOCs that are indirectly related to the malicious Chrome extensions campaign.
    View Complementary IOCs

  • Hunting Query – CrowdStrike EDR: Detect tampered versions of extensions.
    View SQL Query (Based on this initial publication)

  • Hunting Query – Malicious DNS Requests Correlated to Process User SID: Correlate outgoing DNS requests to domains associated with the threat campaign and link them to the relevant potentially affected user.
    View SQL Query

These resources aim to provide actionable insights for security teams to effectively identify and mitigate threats related to this campaign.

 

References

The collection of IOCs, in addition to the unique indicators identified by Team Axon, includes contributions from various sources:

To stay updated on threat-hunting research, activities, and queries, follow Team Axon’s X/Twitter account (@team__axon). 

The Chrome name and logo are trademarks of Google LLC and this blog is not endorsed by or affiliated with Google in any way.