Cybersecurity experts have discovered a large-scale campaign involving more than 40 malicious Chrome browser extensions. These extensions pretend to be official tools from trusted companies and are designed to steal sensitive data from users.
The fake extensions are still available on the Google Chrome Web Store. They pose a serious threat to both individual users and corporate systems. Attackers have used advanced tricks to design these tools so they look like real products from well-known services, such as Fortinet’s FortiVPN, DeepSeek AI, Calendly, YouTube helper apps, and various crypto-related tools.
By copying the look and branding of these platforms, the extensions trick users into trusting them. This helps them avoid detection during installation and use.
Investigators Trace Back Campaign Origins
The discovery was made by researchers at LayerX. Their work expanded on earlier findings from the DomainTools Intelligence (DTI) team. While DTI first flagged suspicious domains linked to browser activity, LayerX mapped out the full network of dangerous extensions, including technical details such as extension IDs, publisher names, and behavioral patterns.
The analysis showed that these extensions are part of a coordinated campaign. The attackers not only copied well-known brands but also created domains that closely resemble real services. For example, they used addresses like calendlydaily[.]world and deepseek-ai[.]link to fool users.
Each fake extension included a professional-looking support email, often in the format support@domain-name, to appear more legitimate.
AI-Driven Design and Persistent Threats
The attackers used artificial intelligence to generate the content and layout for each Chrome Store page. This allowed them to create many similar-looking extensions quickly and efficiently.
Some of the tools were given obscure names like ccollcihnnpcbjcgcjfmabegkpbehnip (linked to FortiVPN) and jmpcodajbcpgkebjipbmjdoboehfiddd (related to DeepSeek AI Chat).
These extensions request high-level browser permissions. Once installed, they can access cookies, inject malicious scripts, and impersonate user sessions. This gives the attackers wide access to user data and online activity.
Even if the extensions are removed from the Chrome Web Store, they remain active on any system where they are already installed. Unless manually uninstalled, they continue to pose a security risk without the user’s knowledge.
