Skip to content
.ca
sign in
13 minhigh

108 Chrome Extensions Linked to Data Exfiltration and Session Theft via Shared C2 Infrastructure

A coordinated campaign of 108 malicious Chrome extensions has been discovered stealing Telegram sessions, harvesting Google OAuth identities, and deploying universal backdoors. Operating as a Malware-as-a-Service platform via shared C2 infrastructure, the extensions bypass security headers and inject arbitrary content while masquerading as legitimate tools and games.

Sens:ImmediateConf:highAnalyzed:2026-04-15reports

Authors: Socket's Threat Research Team

ActorsYana ProjectGameGenSideGamesRodeo GamesInterAlt
Chrome ExtensionsData ExfiltrationSession HijackingMalware-as-a-Service

Source:Socket

IOCs · 4

Key Takeaways

  • 108 malicious Chrome extensions with ~20k installs share C2 infrastructure for data exfiltration and session theft.
  • Extensions actively steal Telegram Web sessions, harvest Google OAuth2 identities, and inject arbitrary HTML/ads.
  • 45 extensions contain a universal backdoor (loadInfo) that opens arbitrary URLs on browser start.
  • Threat actors abuse the declarativeNetRequest API to strip security headers (CSP, X-Frame-Options) from target sites like Telegram, YouTube, and TikTok.
  • The campaign operates as a Malware-as-a-Service (MaaS) platform with a backend CRM for stolen identities and sessions.

Affected Systems

  • Google Chrome
  • Telegram Web
  • Google Accounts
  • YouTube
  • TikTok

Attack Chain

Users install seemingly legitimate Chrome extensions (games, utilities) from the Chrome Web Store. Upon installation or interaction, background scripts execute malicious functions such as injecting content scripts into target sites (e.g., Telegram Web) to extract localStorage tokens, or prompting Google OAuth2 logins to harvest identity data. The stolen data is exfiltrated to a shared C2 infrastructure via POST requests. Additionally, many extensions establish a universal backdoor using a loadInfo() function that polls the C2 server on browser startup to open arbitrary URLs or inject un-sanitized HTML into the extension's UI.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No
  • Platforms: Socket Chrome extension protection

The article does not provide specific detection rules (YARA, Sigma, etc.) but mentions that Socket's Chrome extension protection can analyze bundles for hidden data flows and C2 backdoors.

Detection Engineering Assessment

EDR Visibility: Low — EDRs typically have limited visibility into browser extension internal activities, such as localStorage extraction or declarativeNetRequest API abuse, as these occur within the browser's memory space and standard web traffic. Network Visibility: Medium — Network monitoring can detect connections to the known C2 domains (e.g., cloudapi.stream) and specific URI patterns, though the traffic is likely encrypted via HTTPS. Detection Difficulty: Moderate — Detecting the extensions requires enterprise browser management to audit installed extension IDs and permissions, or network blocking of the C2 domains.

Required Log Sources

  • Proxy/Web Gateway logs
  • DNS logs
  • Browser extension inventory logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Search proxy or DNS logs for connections to subdomains of cloudapi.stream or top.rodeo, indicating potential C2 communication from malicious extensions.DNS logs, Proxy logsCommand and ControlLow
Audit enterprise browser extension inventories for the presence of the specific 108 known malicious extension IDs.Endpoint management logs, Browser inventory logsExecutionLow
Hunt for Chrome extensions requesting the 'identity' permission alongside OAuth2 client IDs associated with the malicious Google Cloud projects (1096126762051 or 170835003632).Browser extension manifest analysisCredential AccessLow

Control Gaps

  • Lack of enterprise browser extension whitelisting
  • Insufficient inspection of extension API usage (e.g., declarativeNetRequest)

Key Behavioral Indicators

  • Extensions requesting 'identity' permission with specific GCP project IDs
  • Extensions containing 'user_info', 'infoURL', and 'chrome.tabs.create' in combination
  • declarativeNetRequest rules that remove content-security-policy from named target sites

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Search for and immediately remove any of the 108 identified malicious Chrome extension IDs from user browsers.
  • Block the domains cloudapi.stream, top.rodeo, and all associated subdomains at the network perimeter.
  • Users of 'Telegram Multi-account' must terminate all Telegram Web sessions via the mobile app under Settings > Devices > Terminate all other sessions.

Infrastructure Hardening

  • Implement enterprise browser policies to restrict extension installation to an approved whitelist.
  • Deploy network-level blocking for known Malware-as-a-Service C2 infrastructures.

User Protection

  • Instruct users who signed into the extensions via Google to review and revoke unfamiliar third-party app access at myaccount.google.com/permissions.
  • Deploy browser security tools capable of analyzing extension behavior and data flows.

Security Awareness

  • Educate users on the risks of installing unverified browser extensions, even those appearing as legitimate games or utilities.
  • Train users to be cautious of extensions requesting Google OAuth logins for unrelated functionalities.

MITRE ATT&CK Mapping

  • T1176 - Browser Extensions
  • T1539 - Steal Web Session Cookie
  • T1528 - Steal Application Access Token
  • T1041 - Exfiltration Over C2 Channel
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1027 - Obfuscated Files or Information
  • T1185 - Browser Session Hijacking

Additional IOCs

  • Ips:
    • 144[.]126[.]135[.]238 - Contabo VPS hosting the shared C2 infrastructure
  • Domains:
    • tg[.]cloudapi[.]stream - Telegram session exfiltration subdomain
    • mines[.]cloudapi[.]stream - Identity theft and C2 beacon subdomain
    • topup[.]cloudapi[.]stream - Payment and monetization portal subdomain
    • cdn[.]cloudapi[.]stream - Game asset hosting subdomain
    • multiaccount[.]cloudapi[.]stream - Ad injection hub subdomain
    • gamewss[.]cloudapi[.]stream - WebSocket game server subdomain
    • wheel[.]cloudapi[.]stream - Pre-positioned C2 subdomain
    • api[.]cloudapi[.]stream - Translation API and content surveillance subdomain
    • chat[.]cloudapi[.]stream - Chat service subdomain
    • crm[.]cloudapi[.]stream - Backend CRM subdomain
    • metal[.]cloudapi[.]stream - Campaign infrastructure subdomain
    • coin-miner[.]cloudapi[.]stream - Campaign infrastructure subdomain
    • goldminer[.]cloudapi[.]stream - Campaign infrastructure subdomain
    • herculessportslegend[.]cloudapi[.]stream - Campaign infrastructure subdomain
    • webuk[.]tech - Developer URL associated with Page Locker extension
    • interalt[.]net - Developer URL associated with InterAlt extension
    • 100ballov[.]com[.]ua - Hostname associated with C2 IP 144.126.135.238 (from Shodan)
    • www[.]100ballov[.]com[.]ua - Hostname associated with C2 IP 144.126.135.238 (from Shodan)
    • vmi2966894[.]contaboserver[.]net - Hostname associated with C2 IP 144.126.135.238 (from Shodan)
  • Urls:
    • tg.cloudapi.stream/count_sessions.php - Endpoint for polling active stolen sessions
    • tg.cloudapi.stream/get_sessions.php - Endpoint for retrieving stolen sessions
    • tg.cloudapi.stream/get_session.php - Endpoint for retrieving a specific stolen session
    • tg.cloudapi.stream/delete_session.php - Endpoint for deleting a stolen session
    • tg.cloudapi.stream/save_title.php - C2 endpoint
    • mines.cloudapi.stream/user_info - C2 beacon endpoint returning infoURL for remote tab-open
    • mines.cloudapi.stream/slot_test/ - C2 endpoint
    • api.cloudapi.stream://8443/Register - Endpoint for registering user email and name for translation proxy
    • api.cloudapi.stream://8443/Translation - Endpoint for proxying and surveilling translation requests
    • top.rodeo/server/remote.php - Game server backend endpoint
    • top.rodeo/server/remote3.php - Game server backend endpoint
    • top.rodeo/notify.php - Game server backend endpoint
    • cloudapi.stream/install/ - Installation tracking endpoint
    • cloudapi.stream/uninstall/ - Uninstallation tracking endpoint
  • File Paths:
    • content.js - Injected script used for extracting localStorage data
    • background.js - Background script used to relay stolen data to C2
    • sidepanel.js - Script used for heartbeat polling to C2
    • userpage.js - Script handling innerHTML injection from C2 responses
    • rules_1.json - File containing declarativeNetRequest rules to strip security headers
    • ukraine.html - Privacy policy file containing threat actor contact email
  • Other:
    • kiev3381917@gmail.com - Threat actor email address
    • formatron.service@gmail.com - Threat actor support email address
    • nashprom.info@gmail.com - Threat actor email address
    • viktornadiezhdin@gmail.com - Threat actor email address
    • support@top.rodeo - Threat actor support email address
    • slava.nadejdin.kiev@gmail.com - Threat actor email address
    • nadejdinv@gmail.com - Threat actor email address
    • 1096126762051 - Google Cloud Project ID used for OAuth2 client IDs
    • 170835003632 - Google Cloud Project ID used for OAuth2 client IDs
    • mdcfennpfgkngnibjbpnpaafcjnhcjno - Malicious Chrome Extension ID (Web Client for Telegram - Teleside)
    • mmecpiobcdbjkaijljohghhpfgngpjmk - Malicious Chrome Extension ID (YouSide - Youtube Sidebar)
    • bfoofgelpmalhcmedaaeogahlmbkopfd - Malicious Chrome Extension ID (Web Client for Youtube - SideYou)
    • cbfhnceafaenchbefokkngcbnejached - Malicious Chrome Extension ID (Web Client for TikTok)
    • ogogpebnagniggbnkbpjioobomdbmdcj - Malicious Chrome Extension ID (Text Translation)
    • ldmnhdllijbchflpbmnlgndfnlgmkgif - Malicious Chrome Extension ID (Page Locker)
    • lnajjhohknhgemncbaomjjjpmpdigedg - Malicious Chrome Extension ID (Page Auto Refresh)
    • aecccajigpipkpioaidignbgbeekglkd - Malicious Chrome Extension ID (Web Client for Rugby Rush - SideGame)
    • akebbllmckjphjiojeioooidhnddnplj - Malicious Chrome Extension ID (Formula Rush Racing Game)
    • akifdnfipbeoonhoeabdicnlcdhghmpn - Malicious Chrome Extension ID (Piggy Prizes - Slot Machine)
    • akkkopcadaalekbdgpdikhdablkgjagd - Malicious Chrome Extension ID (Slot Arabian)
    • alkfljfjkpiccfgbeocbbjjladigcleg - Malicious Chrome Extension ID (Frogtastic)
    • alllblhkgghelnejlggmmgjbkdabidie - Malicious Chrome Extension ID (Black Beard Slot Machine)
    • amkkjdjjgiiamenbopfpdmjcleecjjgg - Malicious Chrome Extension ID (Indian - Slot Machine)
    • amnaljnjmgajgajelnplfmidgjgbjfhe - Malicious Chrome Extension ID (Mahjong Deluxe)
    • bbjdlbemjklojnbifkgameepcafflmem - Malicious Chrome Extension ID (Crazy Freekick)
    • bdnanfggeppmkfhkgmpojkhanoplkacc - Malicious Chrome Extension ID (Slot Car Racing)
    • bgdkbjcdecedfoejdfgeafdodjgfohno - Malicious Chrome Extension ID (Clear Cache Plus)
    • bnchgibgpgmlickioneccggfobljmhjc - Malicious Chrome Extension ID (Galactica Delux - Slot Machine)
    • bpljfbcejldmgeoodnogeefaihjdgbam - Malicious Chrome Extension ID (Speed Test for Chrome - WiFi SpeedTest)
    • cbnekafldflkmngbgmbnfmchjaelnhem - Malicious Chrome Extension ID (Game SkySpeedster)
    • cdpiopekjeonfjeocbfebemgocjciepp - Malicious Chrome Extension ID (Master Chess)
    • cehdkmmfadpplgchnbjgdngdcjmhlfcc - Malicious Chrome Extension ID (Hockey Shootout)
    • cljengcehefhflhoahaambmkknjekjib - Malicious Chrome Extension ID (Odds Of The Gods - Slot Machine)
    • clpgopiimdjcilllcjncdkoeikkkcfbi - Malicious Chrome Extension ID (Billiards Pro)
    • cmeoegkmpbpcoabhlklbamfeidebgmdf - Malicious Chrome Extension ID (Three Card Poker)
    • cmlbghnlnbjkdgfjlegkbjmadpbmlgjb - Malicious Chrome Extension ID (Donuts - Slot Machine)
    • cnibdhllkgidlgmaoanhkemjeklneolk - Malicious Chrome Extension ID (Archer - Slot Machine)
    • cpnfioldnmhaihohppoaebillnambcgn - Malicious Chrome Extension ID (Rugby Rush)
    • dbohcpohlgnhgjmfkakoniiplglpfhcb - Malicious Chrome Extension ID (Bingo)
    • dcamdpfclondppklabgkfaofjccpioil - Malicious Chrome Extension ID (Web Client for game Cricket Batter Challenge)
    • dljlpildgknddpnahppkihgodokfjbnd - Malicious Chrome Extension ID (Slot Machine Zeus Treasures)
    • dlpiookhionidajbiopmaajeckifeehn - Malicious Chrome Extension ID (Horse Racing)
    • dmaibhbbpmdihedidicfeigilkbobcog - Malicious Chrome Extension ID (Aztec - Slot Machine)
    • dohenclhhdfljpjlnpjnephpccbdgmmb - Malicious Chrome Extension ID (Straight 4)
    • dpdemambcedffmnkfmkephnhhnclmcio - Malicious Chrome Extension ID (Slot The Gold Pot)
    • ejlcbfmhjbkgohopdkijfgggbikgbacb - Malicious Chrome Extension ID (American Roulette Royale)
    • eljfpgehlncincemdmmnebmnlcmfamhm - Malicious Chrome Extension ID (Asia Slot)
    • enmmilgindjmffoljaojkcgloakmloen - Malicious Chrome Extension ID (Web Client for game Drive Your Car)
    • eoklnfefipnjfeknpmigmogeeepddcch - Malicious Chrome Extension ID (Jurassic Giants - Slot Machine)
    • fddajeklkkggbnppabbhkdmnkdjindlo - Malicious Chrome Extension ID (Street Basketball)
    • fibgndhgobbaaekmnneapojgkcehaeac - Malicious Chrome Extension ID (Tarot Side Panel)
    • fjfhejmbhpabkacpoddjbcfandjoacmb - Malicious Chrome Extension ID (Dragon Slayer - Slot Machine)
    • flkdjodmoefccepdihipjdlianmkmhgc - Malicious Chrome Extension ID (Best Blackjack)
    • fmajpchoiahphjiligpmghnhmabolhoh - Malicious Chrome Extension ID (Book Of Magic - Slot Machine)
    • gaafhblhbnkekenogcjniofhbicchlke - Malicious Chrome Extension ID (Snake - Slot Machine)
    • gbaoddbbpompjhmilbgiaapkkakldlpc - Malicious Chrome Extension ID (Dice King - Classic Craps And Roll Game)
    • gbhhgipmedccnankkjchgcidiigmioio - Malicious Chrome Extension ID (Slot Ramses)
    • gfhcdakcnpahfdealajmhcapnhhablbp - Malicious Chrome Extension ID (Battleship War)
    • gipmochingljoikdjakkdolfcbphmlom - Malicious Chrome Extension ID (Gold Miner 2)
    • glofhphmolanicdaddgkmhfmjidjkaem - Malicious Chrome Extension ID (Greyhound Racing - Dog Race Simulator)
    • haochenfmhglpholokliifmlpafilfdc - Malicious Chrome Extension ID (Hercules: Sports Legend)
    • hbobdcfpgonejphpemijgjddanoipbkj - Malicious Chrome Extension ID (Flicking Soccer)
    • hdmppejcahhppjhkncagagopecddokpi - Malicious Chrome Extension ID (Voodoo Magic - Slot Machine)
    • heljkmdknlfhiecpknceodpbokeipigo - Malicious Chrome Extension ID (Web Client for Hockey Shootout - SideGame)
    • hiofkndodabpioiheinoiojjobadpgmj - Malicious Chrome Extension ID (MASTER CHECKERS)
    • hkbihmjhjmehlocilifheeaeiljabenb - Malicious Chrome Extension ID (Watercraft Rush)
    • hlmdnedepbbihmbddepemmbkenbnoegd - Malicious Chrome Extension ID (Car Rush)
    • hmlnefhgicedcmebmkjdcogieefbaagl - Malicious Chrome Extension ID (Video Poker Deuces Wild)
    • hnpbijogiiaegambgpaenjbcbgaeimlf - Malicious Chrome Extension ID (Slot Machine Ultimate Soccer)
    • ibelidmkbnjmmpjgfibbdbkamgcbnjdm - Malicious Chrome Extension ID (Christmas Eve - Slot Machine)
    • ihbkmfoadnfjgkpdmgcboiehapkiflme - Malicious Chrome Extension ID (Columbus Voyage - Slot Machine)
    • ijccacgjefefdpglhclnbpfjlcbagafm - Malicious Chrome Extension ID (High or Low Casino Game)
    • ijfmkphjcogaealhjgijjfjlkpdhhojk - Malicious Chrome Extension ID (Goalkeeper Challenge)
    • ijpgccpmogehkjhdmomckpkfcpbjlmnj - Malicious Chrome Extension ID (Tropical Beach - Slot Machine)
    • imjmnghlhiimodfkdkgnfplhlobehnpm - Malicious Chrome Extension ID (BlackJack 3D)
    • jddinhnhplibccfmniaakhffpjpnaglp - Malicious Chrome Extension ID (Web Client for game Classic Bowling)
    • jmopjanoebpdbopigcbpjhiigmjolikk - Malicious Chrome Extension ID (Raging Zeus Mines)
    • jnmmbmkmbkcccpihjgnhjmhhkokfdnfe - Malicious Chrome Extension ID (Classic Backgammon)
    • jodocbbdcdclkhjkibnlfhbmllcpfkfo - Malicious Chrome Extension ID (Slot Machine The Fruits)
    • kahcolfecjbejjjadhjafmihdnifonjf - Malicious Chrome Extension ID (Baccarat)
    • kblomapfkjidbbbdllmofkcakcenkmec - Malicious Chrome Extension ID (Mini Golf World)
    • kbmindomjiejdikjaagfdbdfpnlanobi - Malicious Chrome Extension ID (Gold Rush - Slot Machine)
    • kbnkkecifeppobnemkielnpagifkobki - Malicious Chrome Extension ID (Pirat Slot)
    • kjnakdbpijigdbfepipnbafnhbcfdkga - Malicious Chrome Extension ID (40 Imperial Crown - Slot Machine)
    • kknakidneabpfgepadgpkibalcnabnnh - Malicious Chrome Extension ID (3D Soccer Slot Machine)
    • klglejfbdeipgklgaepnodpjcnhaihkd - Malicious Chrome Extension ID (Premium Horse Racing)
    • kmiidcaojgeepjlccoalkdimgpfnbagj - Malicious Chrome Extension ID (Tanks Game)
    • lcijkepobdokkgmefebkiejhealgblle - Malicious Chrome Extension ID (Caribbean Stud Poker)
    • lefndgfmmbdklidbkeifpgclmpnhcilg - Malicious Chrome Extension ID (Wild Buffalo - Slot Machine)
    • lfkknbmaifjomagejflmjklcmpadmmdg - Malicious Chrome Extension ID (Aqua - Slot Machine)
    • ljbgkfbiifhpgpipepnfefijldolkhlm - Malicious Chrome Extension ID (Game Crypto Merge)
    • lmcpbhamfpbonaenickjclacodolkbdl - Malicious Chrome Extension ID (Sherwood Forest - Slot Machine)
    • lmgenhmehbcolpikplhkoelmagdhoojn - Malicious Chrome Extension ID (Web Client for game Fatboy Dream)
    • maeccdadgnadblfddcmanhpofobhgfme - Malicious Chrome Extension ID (Lone Star Jackpots - Slot Machine)
    • medkneifmjcpgmmibfppjpfjbkgbgebl - Malicious Chrome Extension ID (Hidden Kitty Game)
    • mheomooihiffmcgldolenemmplpgoahn - Malicious Chrome Extension ID (Keno)
    • mmbbjakjlpmndjlbhihlddgcdppblpka - Malicious Chrome Extension ID (Jokers Bonanza - Slot Machine)
    • mmbkmjmlnhocfcnjmbchmflamalekbnb - Malicious Chrome Extension ID (Penalty Kicks)
    • nbgligggjfgkpphhghhjdoiefbimgooc - Malicious Chrome Extension ID (Pai Gow Poker)
    • ncpdkpcgmdhhnmcjgiiifdhefmekdcnf - Malicious Chrome Extension ID (Metal Calculator)
    • ndajcmifndknmkckdcdefkpgcodciggk - Malicious Chrome Extension ID (Farm - Slot Machine)
    • nelbpdjegmhhgpfcjclhdmkcglimkjpp - Malicious Chrome Extension ID (Rail Maze Puzzle)
    • nkacmelgoeejhjgmmgflbcdhonpaplcg - Malicious Chrome Extension ID (RED DOG CARD GAME)
    • nmegibgeklckejdlfhoadhhbgcdjnojb - Malicious Chrome Extension ID (Coin Miner 2)
    • nodobilhjanebkafmpihkpoabiggnnfl - Malicious Chrome Extension ID (Black Ninja - Slot Machine)
    • oanpifaoclmgmflmddlgkikfaggejobn - Malicious Chrome Extension ID (Pyramid Solitaire)
    • ocflhkadmmnlbieoiiekfcdcmjcfeahe - Malicious Chrome Extension ID (Chrome Client for Downhill Ski - SideGame)
    • odeccdcabdffpebnfancpkepjeecempn - Malicious Chrome Extension ID (Slot Machine Mr Chicken)
    • oejhnncfanbaogjlbknmlgjpleachclf - Malicious Chrome Extension ID (Web Client for French Roulette - SideGame)
    • ogbaedmbbmmipljceodeimlckohbnfan - Malicious Chrome Extension ID (3D Roulette Casino Game)
    • ojkbafekojdcedacileemekjdfdpkbkf - Malicious Chrome Extension ID (Slot Machine Space Adventure)
    • pdgaknahllnfldmclpcllpieafkaibmf - Malicious Chrome Extension ID (Whack 'em All)
    • peflgkmfmoijonfgcjdlpnnfdegnlaji - Malicious Chrome Extension ID (Video Poker Jacks or Better)
    • phfkdailnomcbcknpdmokejhellbecjb - Malicious Chrome Extension ID (Swimming Pro)
    • pkghgkfjhjghinikeanecbgjehojfhdg - Malicious Chrome Extension ID (InterAlt)
    • pllkanemicadpcmkfodglahcocfdgkhj - Malicious Chrome Extension ID (Gold of Egypt - Slot Machine)

Related