A coordinated campaign of 108 malicious Chrome extensions collectively amassing approximately 20,000 installs, all routing stolen credentials, session tokens, and user identities to a shared command-and-control (C2) infrastructure hosted at cloudapi[.]stream.
The extensions remain live on the Chrome Web Store at the time of reporting, and Socket has submitted takedown requests to both Chrome Web Store security and Google Safe Browsing.
108 Chrome Extensions Flaw
The 108 malicious extensions are published under five distinct developer identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAl,t a deliberate obfuscation strategy designed to evade detection through apparent publisher diversity.
Despite five separate publisher names, all 56 unique OAuth2 client IDs across 54 identity-stealing extensions trace back to only two Google Cloud project numbers: 1096126762051 and 170835003632, conclusively proving unified operator control.
The campaign spans multiple threat categories simultaneously: 54 extensions harvest Google account identities via OAuth2, 1 extension actively exfiltrates Telegram Web sessions every 15 seconds, 45 extensions carry a universal browser backdoor, 5 extensions strip security headers from platforms including Telegram, YouTube, and TikTok, and 1 extension proxies all translation requests through the threat actor’s server.
This mirrors a broader industry trend researchers have noted that coordinated Chrome extension campaigns increasingly leverage shared backend infrastructure, publisher identity splitting, and functional decoy UIs to bypass both automated and manual review processes.
Telegram Session Theft: The Most Severe Vector
The most dangerous extension in the campaign, Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa), injects content.js into https://web.telegram.org/* at document_start, immediately serializing the page’s entire localStorage and extracting the user_auth token used to authenticate the Telegram Web session.
This token is sent to tg[.]cloudapi[.]stream/save_session.php via the background script and a setInterval loop re-exfiltrates the session every 15 seconds indefinitely for the lifetime of the tab.
More critically, the extension also handles an inbound set_session_changed message that allows the operator to push any session data back into the victim’s browser, er clearing the victim’s localStorage, overwriting it with threat-actor-supplied data, and force-reloading Telegram Web.
This enables full account takeover without the victim’s password or two-factor authentication code, providing access to all messages, contacts, and linked accounts.
A second extension, Teleside (mdcfennpfgkngnibjbpnpaafcjnhcjno), contains staged infrastructure for the same session theft but has not yet activated the payload,oad a 30-second heartbeat polls the C2, and a loadInfo(). The backdoor allows silent payload activation without a Chrome Web Store update.
Google Identity Harvesting via OAuth2
Across 54 of the 108 extensions, attack pattern against Google accounts is identical: chrome.identity.getAuthToken acquires a real Google OAuth2 Bearer token through standard sign-in prompt.
Fetches https://www.googleapis.com/oauth2/v3/userinfo, and POSTs the victim’s email, name, profile picture, and sub identifier to mines[.]cloudapi[.]stream/auth_google.
The sub field is particularly dangerous, it is a stable, cross-service Google account identifier that does not change when a user changes their password or email address, giving the operator a permanent identity record linked to a per-user user_id on the C2 backend.
Code comments written in Russian, such as “Proverka na uzhe avtorizovannogo pol’zovatelya” (“Check for already authenticated user”), appear across multiple extensions, and three of the seven registered email addresses contain romanization variants of “nadejdin” and “nadiezhdin,” pointing toward a Russian-speaking operator operating from or associated .
This methodology aligns with patterns observed in other multi-extension identity campaigns where a single threat actor uses multiple store identities and shared OAuth infrastructure to maximize reach while minimizing attribution exposure.
Universal Backdoor and Infrastructure
Forty-five extensions contain an identical loadInfo() function that fires on every browser startup, POSTing the extension ID to mines[.]cloudapi[.]stream/user_info and silently opening any operator specified URL in a new tab via chrome.tabs.create.
There is no restriction on what URL the C2 can return; phishing pages, exploit delivery URLs, or ad fraud destinations are all viable options.
In two extensions (Page Locker and Page Auto Refresh), the loadInfo() function uses clean async/await syntax inconsistent with the surrounding minified code, indicating the backdoor was injected post-development, consistent with an operator who acquired and trojanized existing extensions.
The full C2 infrastructure is hosted on a Contabo GmbH VPS at 144[.]126[.]135[.]238, with the domain cloudapi[.]stream registered April 30, 202,2 through Hosting Ukraine LLC.
Confirmed subdomains include Telegram session exfiltration, mines[.] for identity theft and C2 beaconing, topup[.] as a payment portal confirming a Malware-as-a-Service (MaaS) model, and multiaccount[.] as an ad injection hub.
The topup[.]cloudapi[.]stream portal now serves a “RODEO GAMES STUDIO” page describing a Chrome Extension monetization business, listing formatron.service@gmail[.]com as a support contact openly marketing the operation as a commercial service.
Detection, Mitigation, and MITRE ATT&CK Mapping
The campaign maps to MITRE ATT&CK techniques, including T1176 (Browser Extensions), T1539 (Steal Web Session Cookie), T1528 (Steal Application Access Token), T1041 (Exfiltration Over C2 Channel), and T1185 (Browser Session Hijacking).
Security teams should immediately block cloudapi[.]stream and all its subdomains at the network layer, and flag extensions declaring the identity permission alongside OAuth2 client IDs from Google Cloud projects 1096126762051 or 170835003632.
Affected users should:
- Remove any of the 108 identified extension IDs from Chrome immediately
- If Telegram Multi-account was installed, terminate all Telegram Web sessions via Settings > Devices > Terminate all other sessions in the Telegram mobile app
- Review third-party app permissions at
myaccount.google.com/permissionsand revoke unrecognized entries - If Text Translation was used with email registration, treat that email and full name as compromised on the threat actor’s CR.M
The broader browser extension ecosystem continues to present a systemic trust vulnerability.
Campaigns like Operation RedDirection (2.3 million users) and the Cyberhaven supply chain attack (2.6 million users) demonstrate that the Chrome Web Store’s review process consistently fails to intercept coordinated, as reported by socket, multi-publisher threats before significant user impact occurs.
Frequently Asked Questions
Q1: What is the cloudapi[.]stream infrastructure?
It is a Contabo GmbH VPS (144[.]126[.]135[.]238) serving as the shared C2 backend for all 108 malicious Chrome extensions, handling Telegram session theft, Google identity harvesting, ad injection, and remote tab-open commands.
Q2: Can a stolen Telegram session bypass two-factor authentication?
Yes,s a stolen user_auth token from localStorage grants full account access without requiring the victim’s password or 2FA code, since the session is already authenticated.
Q3: Does changing your Google password protect against the sub identifier leak?
No the Google sub value is a permanent, immutable account identifier that remains unchanged even after password or email resets, making it a persistent tracking handle.
Q4: How can enterprises detect the loadInfo() backdoor pattern in Chrome extensions?
Scan extension bundles for the combination of user_info, and Inin background scripts, as this functional fingerprint is consistent across all 45 backdoored extensions in the campaign.
Site: thecybrdef.com
About the Author
