Overview
- The malicious extensions were collectively downloaded more than 50,000 times, according to Koi Security, which identified the 17 affected add-ons.
- The loader lies dormant for roughly 48 hours and then contacts hardcoded domains, including www.liveupdt[.]com and www.dealctr[.]com, fetching the main payload only about 10% of the time.
- The final toolkit hijacks affiliate links, injects Google Analytics tracking, strips security headers like CSP and X-Frame-Options, inserts hidden iframes for ad and click fraud, and uses CAPTCHA bypass techniques.
- The retrieved code is heavily obfuscated with case swapping and base64 and is further protected with a cipher and XOR using a key derived from the extension runtime ID.
- The add-ons posed as VPNs, translators, ad blockers, and utilities; researchers urge users to remove the listed extensions and consider resetting important passwords, while reports differ on whether the add-ons remain available.