Overview
- Socket, which disclosed the campaign Tuesday, said 108 Chrome add-ons tied to a single command server had about 20,000 installs.
- Many extensions harvest Google account details via OAuth2, plant a startup backdoor that opens attacker-chosen pages, and hijack Telegram Web sessions every 15 seconds.
- The apps pose as games, YouTube or TikTok helpers, Telegram sidebars, translators, and utilities while running hidden code that steals data and injects ads or scripts.
- All extensions phone home to a shared backend on a Contabo VPS at IP 144.126.135.238 in what researchers say looks like a malware-as-a-service setup, with Russian-language code comments but no confirmed attribution.
- Researchers sent takedown requests to Google, and many extensions were still live, so users are urged to uninstall listed IDs and log out of Telegram Web sessions from the mobile app.