Overview
- Google confirmed the identified extensions are gone from the Chrome Web Store, yet several high‑install Microsoft Edge listings, including WeTab with about 3 million installs, remain available.
- Researchers say infected browsers run an hourly remote code execution framework that polls api.extensionplay[.]com, downloads arbitrary JavaScript, and executes it with full browser API access.
- The spyware harvests browsing history, search queries and keystrokes, mouse clicks, cookies, storage data, and fingerprints, streaming data to roughly 17 domains hosted in China.
- The campaign progressed from 2023 affiliate‑fraud injections and search hijacking (including Infinity V+) to mid‑2024 sleeper updates that backdoored long‑trusted extensions such as Clean Master, once featured and verified.
- Koi Security notes install counts may have been inflated, warns the RCE infrastructure persists on infected browsers, and advises removing the listed extensions and rotating credentials; Microsoft comments are limited or pending.