Cybersecurity researchers have uncovered a sophisticated campaign involving over 40 malicious Chrome browser extensions that masquerade as trusted brands to steal sensitive user data.

The malicious extensions, which remain active on the Google Chrome Store, represent a significant escalation in browser-based attacks targeting both individual users and corporate environments.

The campaign employs advanced deception techniques, with threat actors carefully crafting extensions to mimic well-known platforms including Fortinet/FortiVPN, DeepSeek AI, Calendly, YouTube helper tools, and various cryptocurrency utilities.

These malicious tools leverage the established trust associated with popular brands to bypass user suspicion and evade detection during installation processes.

LayerX analysts identified this extensive network of malicious extensions after building upon initial research conducted by the DomainTools Intelligence team.

While DTI had flagged suspicious domains communicating with browser extensions, LayerX researchers expanded the investigation to uncover the complete scope of individual malicious extensions, their metadata, and operational characteristics.

The investigation revealed critical technical details including extension IDs, publisher information, and behavioral patterns that indicate coordinated threat actor activities.

The sophisticated nature of this campaign extends beyond simple brand impersonation.

Threat actors have registered domain names that closely resemble legitimate services, such as calendlydaily[.]world and calendly-director[.]com to impersonate Calendly, and deepseek-ai[.]link to mimic the popular AI platform.

Each malicious extension maintains professional appearances through standardized contact email formats following the pattern support@domain-name, lending credibility to their fraudulent operations.

AI-Generated Extension Infrastructure and Persistence Mechanisms

The technical analysis reveals that these malicious extensions utilize AI-generated content for their Chrome Store pages, exhibiting highly similar structure, formatting, and language patterns that enabled rapid scaling across dozens of fake tools.

This automated approach allows threat actors to maintain operational efficiency while deploying extensions with names such as ccollcihnnpcbjcgcjfmabegkpbehnip (FortiVPN) and jmpcodajbcpgkebjipbmjdoboehfiddd (DeepSeek AI Chat).

The extensions establish persistent access to user sessions through elevated browser permissions, enabling comprehensive data theft capabilities including cookie harvesting, script injection, and session impersonation.

Even after removal from the Chrome Store, these extensions remain active on infected systems until manually uninstalled, creating sustained security risks for organizations and individual users who may be unaware of the ongoing compromise.

Equip your SOC team with deep threat analysis for faster response -> Get Extra 𝗦𝗮𝗻𝗱𝗯𝗼𝘅 𝗹𝗶𝗰𝗲𝗻𝘀𝗲𝘀 for Free