{ "id": "bdfacb0f-fe25-4216-b038-1220e8859b18", "created_at": "2026-04-06T00:15:22.485783Z", "updated_at": "2026-04-10T03:36:47.703861Z", "deleted_at": null, "sha1_hash": "4695982b17112eb96a6f1b53367c24d5fe20acfd", "title": "24/7 managed detection, response, and expert cybersecurity services - GoSecure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82694, "plain_text": "24/7 managed detection, response, and expert cybersecurity\r\nservices - GoSecure\r\nArchived: 2026-04-05 16:35:01 UTC\r\nGoSecure Titan Labs received a malicious Chrome extension sample that we are calling ChromeBack\r\n(a4424f32a10770b7e486a38823f166ff ) from GoSecure's Titan Managed Detection and Response (MDR) team.\r\nAfter creating a detection for GoSecure Titan Endpoint Detection \u0026 Response (EDR) to ensure that we can\r\nidentify this threat for our clients, the GoSecure Titan Labs team is ready to spread the word and share how to\r\naddress this serious issue that some users are already experiencing. The potential impact of ChromeBack is\r\nextensive, ranging from browser traffic hijacking and ad-redirection to deactivation of other extensions and even\r\nthe activation of developer mode without the user's knowledge.\r\nAnalysis\r\nThis browser extension was identified as it was being downloaded via a Base64-encoded PowerShell command as\r\ndisplayed in Figure 1 below.\r\nFigure 1: Base64-Encoded Powershell Command\r\nThe encoded script begins with hard-coded variables, including the domain hosting the malware,\r\nithconsukultin[.]com, and the location it will download its payload to, %LOCALAPPDATA%\\chrome.\r\nFigure 2: Hard-coded Values\r\nNext, the script will use Test-Path to check for the %LOCALAPPDATA%\\chrome path. If it does not exist, the\r\nscript will use wget to download the malicious Chrome extension from hxxp://ithconsukultin[.]com/archive[.]zip?\r\niver=2 to %LOCALAPPDATA%\\chrome as archive.zip. Expand-Archive is used to unpack the archive to*\r\n%LOCALAPPDATA%\\chrome* before deleting the archive.zip file using Remove-Item.\r\nFigure 3: Downloading Extension\r\nIf the %LOCALAPPDATA%\\chrome path does exist, the script will check for a previously installed version of\r\nitself by using Get-Content for the file %LOCALAPPDATA%\\chrome\\background.js, which is the main code of\r\nthe malicious browser extension. The content of background.js will be split into an array and a base64-encoded\r\ntracking id, and the domain used to serve advertisements will be stored and checked against the result of a wget to\r\nhxxp://ithconsukultin[.]com/un?iver=2\u0026did=\u0026ver=.\r\nIf the ad domain from background.js matches the result, Unregister-ScheduledTask will be called to remove a\r\nscheduled task named Chromeloader before recursively deleting the %LOCALAPPDATA%\\chrome path and\r\ndownloading the ChromeBack extension from the alternate URL hxxp://ithconsukultin[.]com/archive.zip?\r\niver=2\u0026did=\u0026ver=.\r\nFigure 4: Removing Existing Version and Re-Downloading\r\nhttps://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\nPage 1 of 5\n\nThe final step of the script loads the downloaded ChromeBack extension into Chrome using the --load-extension argument. Get-Process will be invoked for Chrome and .CloseMainWindow() will be used to close any\r\nrunning instances of Chrome. Once all instances are closed, a new instance of Chrome is called using start or\r\nStart-Process and with the --load-extension argument and the path to ChromeBack, as well as --restore-last-session , --noerrdialogs , and --disable-session-crashed-bubble .\r\nFigure 5: Loading Extension with --load-extension\r\nFurther investigation of the --load-extension argument has shown it as a lucrative infection vector for many\r\nChromium-based browsers. By using --load-extension , an unpacked Chrome extension can be loaded from\r\nlocal storage, providing a side-loading vector for malicious extensions. Additionally, loading of unpacked\r\nextensions usually requires the enabling of Developer Mode, which typically includes a visible user agreement\r\nprompt. However, when --load-extension is invoked, the user is not prompted or even notified that an\r\nunpacked extension has been loaded, and developer mode will appear as not enabled if someone checks.\r\nMicrosoft Edge is the only browser among those we tested that provides the user a notification of the loaded\r\nextension. Chrome, Chromium, Opera, and even security focused browsers such as Comodo Dragon and Avast\r\nSecure Browser leave the user with no indication of any changes. Any JavaScript file with an accompanying\r\nmanifest file can be loaded as an extension in this way, allowing for a wide range of malicious functionality to be\r\nadded. A user's shortcut to their browser could be modified with the --load-extension argument allowing\r\nmalicious code to load each time the browser is launched to achieve persistence.\r\nFigure 6: Arbitrary JavaScript Loaded Without User Warning\r\nFigure 7: Developer Mode Appears Off\r\nFigure 8: Microsoft Edge Warning Message\r\nThe extension in question for ChromeBack consists of a manifest file, icon image, and a heavily obfuscated\r\nJavaScript file, *background.js *(b02455ddbc78841c2e3087fab5a9f9b2). Once installed, ChromeBack appears as\r\nProperties with ID andnkmffoleapmidfgnnjjoepadbiika and permissions for contextMenus, tabs, storage,\r\nbrowsingData, webRequest, webRequestBlocking, privacy, alarms, management, :///**, and chrome:///**. The last\r\ntwo permissions in this list allow for web request control for any URL, allowing blocking or modification of any\r\nweb request.\r\nFigure 9: Installed Extension Information\r\nFigure 10: Permissions and Info from Manifest\r\nThe main functionality of ChromeBack redirects search requests to Google, Yahoo, or Bing through its own\r\ndomain, tobepartou[.]com, as well as periodically serving its own advertisements via Chrome alarms. The\r\nextension's first code is a listener using the runtime.onInstalled event, which activates when the extension is first\r\ninstalled, seen below.\r\nFigure 11: onInstalled Functionality\r\nhttps://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\nPage 2 of 5\n\nLocal data for lastQuery, ad, and is, which are local variables used by the extension, will be removed. Two alarms,\r\nhb and ad are also created. hb will first trigger after a delay of 1.1 minutes, then every 180 minutes after that. ad\r\nwill first execute at 5 minutes, then every 30 minutes. Next, the analytics function will be called with the argument\r\ninstall, and the sync function is called. The analytics function of ChromeBack uses the navigator.sendBeacon\r\nmethod of Chrome to send a small packet of data via an HTTP POST request. The POST request will be made to\r\nthe URL hxxps://tobepartou[.]com/?ext=Properties\u0026ver=4.4\u0026dd=, and if a second argument is provided, \u0026info=\r\nwill be appended to the URL.\r\nFigure 12: Analytics Function\r\nThe sync function will send a GET request to hxxps://tobepartou[.]com/redsync, which redirects to\r\nhxxps://freychang[.]fun. Hosted at hxxps://freychang[.]fun is a 16-digit number which is then passed to the sync\r\nfunction as the second argument along with the string sync for a call to analytics(). The result is a post to\r\nhxxps://tobepartou[.]com/sync?ext=Properties\u0026ver=4.4\u0026dd=\u0026info=.\r\nFigure 13: Sync Function\r\nFigure 14: hxxps://freychang[.]fun Data\r\nNext, ChromeBack will use the management.getAll method to get information on all other running Chrome\r\nextensions and pass that info to the handleInstalledExtensions function. handleInstalledExtensions will send a\r\nPOST request to hxxps://com.tobepartou[.]com/ext?ext=Properties\u0026ver=4.4\u0026dd= with a JSON object of a\r\nstringified list of running extensions as the data. Then, the list will be parsed and the Chrome\r\nmanagement.setEnabled method will be called to set the value for each extension to !1, disabling all other\r\nextensions.\r\nFigure 15: handleInstalledExtensions Function\r\nFigure 16: Disabling Extensions from handleInstalledExtensions\r\nThere is a running listener for alarms.onAlarm events; When the hb alarm triggers, ChromeBack executes its\r\nanalytics function with the argument hb, and the sync function. When the ad alarm triggers, the getAd function is\r\ncalled.\r\nFigure 17: onAlarm Listener\r\nThe getAd function calls a second function, openAd. openAd executes a GET request to\r\nhxxps://tobepartou[.]com/ad?ext=Properties\u0026ver=4.4\u0026dd=. The response contains a URL with the intended\r\nadvertisement to serve, hxxps://a[.]nel[.]cloudflare[.]com/report/v3?s=. The Chrome tabs.create method is then\r\ncalled to create a tab with the served advertisement.\r\nFigure 18: openAd Function\r\nThe listener is created with the intention to redirect search results using the webRequest.onBeforeRequest method.\r\nWhen a request is made, it is checked against the indexes of Google, search.yahoo, and Bing. Any requests to\r\nthese domains will be blocked, and the search query stripped from the URL and appended to the end of a new\r\nhttps://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\nPage 3 of 5\n\ntarget URL, hxxps://tobepartou[.]com/search?ext=Properties\u0026ver=4.4\u0026is=1\u0026q=. After the first redirection, the\r\nbrowser will be redirected again to a Bing search for the original query.\r\nFigure 19: Redirection of Search Results\r\nWithin Chrome, users are typically able to see and manage access for all of their extensions in one tab\r\nchrome://extensions. An additional interesting evasion method used by ChromeBack is, upon a request to\r\nchrome://extensions, the tab will be removed and a new tab of chrome://settings will be created. This prevents a\r\nuser from reaching the page to manage extensions, adding a hurdle for more novice users.\r\nFigure 20: Code for Preventing Access to Extensions\r\nConclusion\r\nThe ChromeBack extension is a browser hijacker, redirecting traffic and serving advertisements to users. Its\r\nutilization of the --load-extension argument outlines an interesting vector for injection of malicious code into a\r\nbrowser without the knowledge of the user. Users may not be aware that they have been compromised, especially\r\nsince Developer Mode can be enabled without notification. Identification is possible with tools like GoSecure\r\nTitan Endpoint Detection \u0026 Response (EDR) and through a review of the information provided in this blog. To\r\nread more from GoSecure Titan Labs and our extensive security investigations, be sure to check this blog\r\nregularly and follow us on Twitter and LinkedIn.\r\nMalware Analyst: Matthew Hood\r\nIndicators of Compromise\r\n+========+==================================+===========================================+\r\n| Type | Indicator | Description |\r\n+========+==================================+===========================================+\r\n| MD5 | a4424f32a10770b7e486a38823f166ff | ChromeBack Extension Zipped (Archive.zip) |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| MD5 | b02455ddbc78841c2e3087fab5a9f9b2 | ChromeBack Extension Code (Background.js) |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| DOMAIN | ithconsukultin[.]com | ChromeBack Initial Download Domain |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| DOMAIN | tobepartou[.]com | ChromeBack Contact Domain |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| DOMAIN | freychang[.]fun | ChromeBack Contact Domain |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| DOMAIN | a[.]nel[.]cloudflare[.]com | ChromeBack Ad Hosting Domain |\r\n+--------+----------------------------------+-------------------------------------------+\r\n| ID | andnkmffoleapmidfgnnjjoepadbiika | ChromeBack Extension ID |\r\n+========+==================================+===========================================+\r\nDetection\r\nhttps://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\nPage 4 of 5\n\nGoSecure Titan Labs are providing the following signatures to help the community in detecting and identifying\r\nthe threats discussed in this report and have deployed additional detection as part of our MDR service.\r\nalert http any any -\u003e $EXTERNAL_NET any (msg:\"GS MALWARE ChromeBack Browser Hijacker Query Redirection\";\r\ncontent:\"GET\"; http_method;\r\ncontent:\"/search?ext=\"; http_uri; fast_pattern;\r\ncontent:\"\u0026ver=\"; http_uri; distance:0;\r\ncontent:\"\u0026is=\"; http_uri; distance:0;\r\ncontent:\"\u0026q=\"; http_uri; distance:0;\r\nflow:to_server, established;\r\nmetadata:created 2022-01-18, type malware.stealer, os any, tlp white;\r\nclasstype:trojan-activity; sid:300001853; rev:1;)\r\nalert http any any -\u003e $EXTERNAL_NET any (msg:\"GS MALWARE ChromeBack Browser Hijacker getAd\";\r\ncontent:\"GET\"; http_method;\r\ncontent:\"/ad?ext=\"; http_uri; fast_pattern;\r\ncontent:\"\u0026ver=\"; http_uri; distance:0;\r\ncontent:\"\u0026dd=\"; http_uri; distance:0;\r\nflow:to_server, established;\r\nmetadata:created 2022-02-08, type malware.stealer, os any, tlp white;\r\nclasstype:trojan-activity; sid:200000000; rev:1;)\r\nalert http any any -\u003e $EXTERNAL_NET any (msg:\"GS MALWARE ChromeBack Browser Hijacker Sync\";\r\ncontent:\"GET\"; http_method;\r\ncontent:\"/sync?ext=\"; http_uri; fast_pattern;\r\ncontent:\"\u0026ver=\"; http_uri; distance:0;\r\ncontent:\"\u0026dd=\"; http_uri; distance:0;\r\nflow:to_server, established;\r\nmetadata:created 2022-02-08, type malware.stealer, os any, tlp white;\r\nclasstype:trojan-activity; sid:200000001; rev:1;)\r\nalert http any any -\u003e $EXTERNAL_NET any (msg:\"GS MALWARE ChromeBack Browser Hijacker Home Beacon\";\r\ncontent:\"POST\"; http_method;\r\ncontent:\"/hb?ext=\"; http_uri; fast_pattern;\r\ncontent:\"\u0026ver=\"; http_uri; distance:0;\r\ncontent:\"\u0026dd=\"; http_uri; distance:0;\r\nflow:to_server, established;\r\nmetadata:created 2022-02-08, type malware.stealer, os any, tlp white;\r\nclasstype:trojan-activity; sid:200000002; rev:1;)\r\nSource: https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-load\r\ning/\r\nhttps://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.gosecure.net/blog/2022/02/10/malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading/" ], "report_names": [ "malicious-chrome-browser-extension-exposed-chromeback-leverages-silent-extension-loading" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434522, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4695982b17112eb96a6f1b53367c24d5fe20acfd.pdf", "text": "https://archive.orkl.eu/4695982b17112eb96a6f1b53367c24d5fe20acfd.txt", "img": "https://archive.orkl.eu/4695982b17112eb96a6f1b53367c24d5fe20acfd.jpg" } }