Over 100 Malicious Extensions Infiltrated the Chrome Web Store, Disguised as Legitimate Tools like VPNs, AI Assistants, and Encryption Utilities. Security researchers from DomainTools revealed that these extensions are part of a well-organized campaign using more than 100 fake domains to lure unsuspecting users, likely through malicious advertising.
While many of these extensions appeared to offer some of the promised features, they were secretly connecting to attacker-controlled servers to steal browser cookies, execute remote scripts, and receive malicious commands. In addition to data theft, these extensions can also modify user network traffic, inject unwanted ads, perform deceptive redirects, or function as proxies. All of this happens in the background while the user believes they are using a trustworthy tool.
Entre los más de 100 sitios web detectados como parte de esta campaña maliciosa, hay de todo: desde servicios VPN inventados hasta copias de marcas conocidas como Fortinet, YouTube, DeepSeek AI o incluso Calendly. Algunos de los dominios más sospechosos incluyen nombres como:
These websites are designed to look legitimate and often include “Add to Chrome” buttons that actually redirect users to malicious extensions hosted in the Chrome Web Store. Everything is carefully crafted to provide a trustworthy and professional appearance—exactly what users expect from a helpful tool.
Although Google has already removed several of these extensions after they were reported, some still remain active in the official store, posing a risk to anyone who might encounter them and trust them without suspecting anything unusual.
Read more: Why are we still falling for phishing attacks in the middle of 2025?
Although some of these extensions appear to offer useful features—such as improving connection speed, blocking ads, or boosting productivity—the reality is that many hide dangerous permissions that allow them to perform far more invasive actions. We're talking about stealing cookies (including session tokens), injecting malicious scripts into the websites you visit, and even carrying out phishing attacks by manipulating website content.
A clear example is the “fortivpn” extension. In addition to pretending to be a legitimate tool, it can act as a proxy server, intercept and modify network traffic, and execute JavaScript code directly from attacker-controlled servers. When triggered, it can collect all browser cookies, compress and encode them, and send them to a remote server. And that’s not all—it can also establish independent WebSocket connections to route your traffic through malicious servers, including mechanisms to handle proxy authentication.
Malicious Website Masquerading as a Fortinet VPN Client
Extensions like these pose risks that extend far beyond just your browser. They allow attackers to access your accounts, spy on your online activity, and even use your session cookies to log into corporate services, including private networks or VPN accounts. In the wrong hands, this information can become a gateway to far more serious attacks within companies or larger systems.
The most effective way to protect yourself from these kinds of threats is to be extremely selective about the extensions you install. Always check who developed them, review the permissions they request, and take a look at user reviews. If something feels off, it’s probably best not to install it. When it comes to security, it’s always better to be safe than sorry