{ "id": "74cb3b67-872e-4b1c-8897-86b3a689a9d3", "created_at": "2026-04-06T00:06:45.000009Z", "updated_at": "2026-04-10T13:12:31.311542Z", "deleted_at": null, "sha1_hash": "7ec170b71143e19a8897dcb8d4a006fa45afe194", "title": "Threat in your browser: what dangers innocent-looking extensions hold for users", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1020210, "plain_text": "Threat in your browser: what dangers innocent-looking extensions hold\r\nfor users\r\nBy Kaspersky\r\nPublished: 2022-08-16 · Archived: 2026-04-05 13:37:55 UTC\r\nWhether you want to block ads, keep a to-do list or check your spelling, browser extensions allow you to do all of the above\r\nand more, improving convenience, productivity and efficiency for free, which is why they are so popular. Chrome, Safari,\r\nMozilla — these and many other major Web browsers — have their own online stores to distribute thousands of extensions,\r\nand the most popular plug-ins there reach over 10 million users. However, extensions are not always as secure as you might\r\nthink — even innocent-looking adds-on can be a real risk.\r\nBrowser add-ons are in demand among people of different ages. For example, children can add virtual pets to their\r\nbrowser, while adults usually prefer productivity trackers and timers\r\nFirst of all, not every innocent-looking extension is, in fact, innocent. Malicious and unwanted add-ons promote themselves\r\nas useful, and often do have legitimate functions implemented along with illegitimate ones. Some of them may even\r\nimpersonate a popular legitimate extension, their developers going so far as to stuff keywords so that their extension appears\r\nnear the top of the browser’s extension store.\r\nMalicious and unwanted add-ons are often distributed through official marketplaces. In 2020, Google removed 106 browser\r\nextensions from its Chrome Web Store. All of them were used to siphon off sensitive user data, such as cookies and\r\npasswords, and even take screenshots; in total, these malicious extensions were downloaded 32 million times. Victims of\r\nthese attacks were not only individuals, but also businesses. Overall, more than 100 networks were abused, giving threat\r\nactors a foothold on financial service firms, oil and gas companies, the healthcare and pharmaceutical industries,\r\ngovernment and other organizations. Another malicious Google Chrome extension that was available for download even in\r\nthe official store could recognize and steal payment card details entered in web forms. Google deleted it from the Chrome\r\nWeb Store, but the malware had already infected more than 400 Chrome users, putting their data at huge risk.\r\nSometimes the user can assess the risks by looking at what permissions an extension requests when installed from the store.\r\nIf you see that an add-on is asking for far more permissions than it theoretically needs, that’s a serious cause for concern. For\r\nexample, if a regular browser calculator requires access to your geolocation or browsing history, or wants to take screenshots\r\nof pages, it’s better not to download it at all.\r\nHowever, analyzing extension permissions may not always help. Often the wording provided by browsers is so vague that it\r\nis impossible to tell exactly how secure an extension is. For example, basic extensions often require permission to “read and\r\nchange all your data on the websites you visit.” They may really need it to function properly, but this permission potentially\r\ngives them large power.\r\nEven if extensions have no malicious functionalities, they can still be dangerous. The danger arises from the fact that many\r\nextensions, after gaining access to “read all the data on all websites,” collect massive amounts of data from web pages users\r\nvisit. To earn more money, some developers may pass it on to third parties or sell it to advertisers. The problem is that\r\nsometimes that data is not anonymized enough, so even non-malicious extensions can harm users by exposing their data to\r\nsomeone who is not supposed to see what websites they visit and what they do there.\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 1 of 12\n\nA regular spell checker asks permission to “read and change all your data on all websites,” which could potentially pose\r\na risk\r\nAdditionally, extension developers are also able to push out updates without requiring any action by the end user, which\r\nmeans that even a legit extension could be later turned into malware or unwanted software. For instance, when an account of\r\nthe developer of a popular add-on was hijacked after a phishing attack, millions of users received adware on their devices\r\nwithout their knowledge. Sometimes developers sell a browser extension after it has gained a huge following. After\r\nfraudsters purchase the extension, they can update it with malicious or unwanted features, and that update will be pushed to\r\nusers. In that way, over 30,000 users got adware after an installed extension, dubbed Particle, was sold to new developers\r\nand later modified to inject ads into websites.\r\nMethodology\r\nIn this research, we observed various types of threats that mimic useful web browser extensions, and the number of users\r\nattacked by them. For this purpose, we analyzed threat statistics from Kaspersky Security Network (KSN), a system for\r\nprocessing anonymized cyberthreat-related data shared voluntarily by Kaspersky users, for the period between January 2020\r\nand June 2022. Additionally, we prepared in-depth characteristics of four popular threats, hiding as browser add-ons, with\r\nexamples of which applications they can mimic and what danger they hold for users.\r\nKey findings\r\nThroughout the first half of this year, 1,311,557 users tried to download malicious or unwanted extensions at least\r\nonce, which is more than 70 percent of the number of users affected by the same threat throughout the whole of last\r\nyear.\r\nFrom January 2020 to June 2022, more than 4.3 million unique users were attacked by adware hiding in browser\r\nextensions, which is approximately 70 percent of all users affected by malicious and unwanted add-ons.\r\nThe most common threat in the first half of 2022 was the WebSearch family of adware extensions, able to collect and\r\nanalyze search queries and redirect users to affiliate links.\r\nBrowser extensions threats: in figures\r\nSince the beginning of 2020, Kaspersky products prevented 6,057,308 users from downloading malware, adware and\r\nriskware disguised as browser extensions. Our findings show that, during the analyzed period, the number of such users\r\npeaked in 2020 and reached 3,660,236. In 2021, the number of affected users halved, and we saw 1,823,263 unique users\r\nattempting to download malicious or unwanted extensions. This year shows that in H1 1,311,557 users tried to download\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 2 of 12\n\nmalicious and unwanted extensions at least once. This is more than 70 percent of the number of users affected throughout\r\nthe whole of last year, despite 2022 having six months left to run.\r\nNumber of unique users affected by malicious or unwanted browser extensions (download)\r\nOur telemetry shows that the most common threat spread under the guise of browser extensions is adware — unwanted\r\nsoftware designed to promote affiliates rather than improve user experience. Such ads are usually based on the browser\r\nhistory to tap users’ interests, redirect them to affiliate pages that the adware developers earn money from or embed affiliate\r\nbanners and links in web pages. From January 2020 to June 2022, we observed more than 4.3 million unique users attacked\r\nby adware hiding in browser extensions, which means approximately 70 percent of all affected users encountered this threat.\r\nOf these, more than 1 million users encountered adware in the first half of 2022.\r\nAffiliate ads even appear on the side of the search result page — all to draw the user’s attention to it\r\nThe second most widespread threat was malware (a type of computer program designed to infect a legitimate user’s\r\ncomputer and inflict harm on it in multiple ways). The aim of some malicious extensions is to steal login credentials and\r\nother sensitive information. In addition to stealing cookies and data copied to the clipboard, they can function as keyloggers\r\n— monitoring software that is able to track and capture everything users type, making it a huge threat to victims’ sensitive\r\ndata, such as credentials and credit card details.\r\nFrom January 2020 to June 2022, we observed over 2.6 million unique users who were attacked by malware in the guise of a\r\nbrowser extension. This is 44 percent of all users who encountered malicious or unwanted extensions during this period.\r\nThe most common threat families in 2022 hiding as browser extensions\r\nTo provide a more detailed insight into how malicious and unwanted extensions operate, we also compiled an in-depth\r\nanalysis of four threat families. We analyzed if they are distributed in a legitimate web store or in a different way, what\r\nuseful extension functions they can use as a disguise, and how active they were in the first half of 2022.\r\nWebSearch\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 3 of 12\n\nThe most common threat in the first half of 2022 was the WebSearch adware family, detected as not-a-virus:HEUR:AdWare.Script.WebSearch.gen. In the first half of 2022, 876,924 unique users encountered WebSearch.\r\nTypically, this threat mimics tools for working with documents, such as DOC to PDF converters, document mergers, etc.\r\nFirst of all, WebSearch extensions change the browser’s start page so that, instead of the familiar Chrome page, the user sees\r\na minimalistic site consisting of a search engine and several links to third-party resources, such as AliExpress or Farfetch.\r\nThe transition to these resources is carried out through affiliate links — this is how attackers earn money from their\r\nextensions. The more often users follow these links, the more money the extension developers make.\r\nThe browser’s new-look home page after being hit by WebSearch\r\nAlso, the extension modifies the browser’s default search engine to search.myway[.]com, which can capture user queries,\r\ncollect and analyze them. Depending on what the user searched for, most relevant partner sites will be actively promoted in\r\nthe search results.\r\nWebSearch extensions track everything the user searches for, then promote these products with affiliate ads on search\r\nengines\r\nOffice workers, who often have to use PDF viewers or converters at work, may be the most frequent victims of this threat, as\r\nWebSearch mostly hides behind this functionality. Usually, the extension performs its declared useful function so that the\r\nuser doesn’t uninstall it.\r\nExamples of this family are:\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 4 of 12\n\nkpocjpoifmommoiiiamepombpeoaehfh EasyPDFCombine\r\nmallpejgeafdahhflmliiahjdpgbegpk PDF Viewer \u0026 Converter by FromDocToPDF\r\nfncbkmmlcehhipmmofdhejcggdapcmon EasyPDFCombine\r\nceopoaldcnmhechacafgagdkklcogkgd OnlineMapFinder\r\nmabloidgodmbnmnhoenmhlcjkfelomgp EasyDocMerge\r\nCurrently this extension is no longer available in the Chrome Web Store, but can still be downloaded from third-party file-sharing resources and installed manually.\r\nDealPly-related extensions\r\nDealPly-related extensions are adware, the first variations of which appeared back in late 2018, but remain popular with\r\ncybercriminals. These extensions are detected with the following verdicts:\r\nHEUR:AdWare.Script.Generic\r\nHEUR:AdWare.Script.Extension.gen.\r\nBetween January and June 2022, 97,515 unique Kaspersky users encountered DealPly-related add-ons.\r\nUnlike the WebSearch family, these extensions are not installed by the user, but by the adware executable DealPly, which\r\nKaspersky products detect as not-a-virus:AdWare.Win32.DealPly. Usually users get infected with DealPly when trying to\r\ndownload a loader of some hacked software from untrustworthy resources. Similar to the previous threat family, DealPly-related extensions also change the start page of the browser to place affiliate links on it.\r\nThe new start page of the browser consists mainly of links to affiliate websites\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 5 of 12\n\nIn order to intercept user requests, the default search engine is changed. All queries that users make on this search engine are\r\nanalyzed by the extension — based on the keywords entered in the queries, the user is redirected to a suitable partner site.\r\nThe threat analyzes the keyword “iPhone” and, based on this, suggests a suitable offer on the partner website\r\nTo provide persistence for its extensions, DealPly creates the following branches in the Windows registry:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\WOW6432Node\\Google\\Chrome\\Extensions\\bifdhahddjbdbjmiekcnmeiffabcfjgh\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Google\\Chrome\\Extensions\\bifdhahddjbdbjmiekcnmeiffabcfjgh\r\nHKEY_CURRENT_USER\\Software\\Google\\Chrome\\Extensions\\bifdhahddjbdbjmiekcnmeiffabcfjgh\r\nwith the value “update_url”=”hxxp[:]//juwakaha[.]com/update“. This value provides browsers with the path to extension\r\nupdates. Even if the user removes the add-on, each time the browser is launched it will download and reinstall it using this\r\npath. Note that the browser updates DealPly-related extensions, although they are installed from third-party servers, and not\r\nfrom the official Chrome Web Store.\r\nWe assume that the most frequent victims of this threat are those who download hacked software from dubious resources;\r\ncommon examples of programs that DealPly mimics are KMS activators (programs that activate hacked Windows for free)\r\nor cheatengine, used to hack computer games. In addition, DealPly can also mimic installers of various software, including\r\nproprietary software.\r\nExamples of DealPly-related extensions are:\r\nbifdhahddjbdbjmiekcnmeiffabcfjgh Internal Chromium Extension\r\nncjbeingokdeimlmolagjaddccfdlkbd Internal Chromium Extension\r\nnahhmpbckpgdidfnmfkfgiflpjijilce Search Manager\r\npilplloabdedfmialnfchjomjmpjcoej Search Manager\r\nAddScript\r\nAddScript is another threat family, hiding under the guise of browser extensions. The first samples of this family were seen\r\nin early 2019, and it remains active. In the first half of 2022, we observed 156,698 unique users that encountered AddScript.\r\nTypically, extensions of this family do have useful functions. For example, they can be tools for downloading music and\r\nvideos from social networks or proxy managers. However, in addition to the useful functionality, such extensions also carry\r\nout malicious activity.\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 6 of 12\n\nAddScript malicious code\r\nThe malicious code is obfuscated. When the extension is running, it contacts a hardcoded URL to get the C\u0026C server\r\naddress. It then establishes a connection to the C\u0026C server, receives malicious JavaScript from it, and runs it covertly. The\r\nonly way the user can notice the execution of third-party instructions is by the increased consumption of processor power.\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 7 of 12\n\nThe malicious script is updated from time to time and may perform various functions. For example, it can unobtrusively run\r\nvideos on the victim’s computer, so that its owners profit from the video being “viewed.” Another variant of malicious\r\nJavaScript performs cookie stuffing (also called “cookie dropping”). Traditionally, different brands promote affiliate\r\nproducts on their sites. When a visitor clicks the affiliate link, an affiliate cookie is saved on their device. If the user then\r\nmakes a purchase on the partner’s page, the owner of the site that saved the affiliate cookie gets a commission. AddScript\r\ndrops multiple affiliate cookies without the user clicking any links on any sites, in order to claim the commission for\r\ntransactions that happen in the browser. Put simply, the fraudsters trick websites into thinking they have sent them traffic\r\nwithout actually doing so.\r\nExamples of this family are:\r\nhdbipekpdpggjaipompnomhccfemaljm friGate3 proxy helper\r\nlfedlgnabjompjngkpddclhgcmeklana SaveFrom.net helper\r\naonedlchkbicmhepimiahfalheedjgbh Helper (an easy way to find the best prices)\r\noobppndjaabcidladjeehddkgkccfcpn Y2Mate – Video Downloader\r\nKaspersky products detect AddScript extensions with the verdict HEUR:Trojan.Script.Generic.\r\nFB Stealer\r\nAnother malicious browser extension family is FB Stealer. It is one of the most dangerous families, because in addition to\r\nthe already traditional search engine substitution, FB Stealer is able to steal user credentials from Facebook. From January to\r\nJune 2022, Kaspersky security solutions detected 3,077 unique users who encountered FB Stealer.\r\nFB Stealer is installed by the malware rather than by the user. Once added to the browser, it mimics the harmless and\r\nstandard-looking Chrome extension Google Translate.\r\ncolgdlijdieibnaccfdcdbpdffofkfeb Google Translate\r\nfdempkefdmgfcogieifmnadjhohaljcb Google Translate\r\nMalicious FB Stealer extension added from third-party resources. Browser warns that it has no information about this\r\nextension\r\nThe Trojan delivering FB Stealer is called NullMixer. It masquerades as a cracked software installer, and thus reaches users.\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 8 of 12\n\nNullMixer spreads through hacked software installers\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 9 of 12\n\nDownloading a password-protected archive with NullMixer inside\r\nThe extension files are stored in the resources section of the NullMixer executable and, during installation, are copied to the\r\n%AppData%\\Local\\Google\\Chrome\\User Data\\Default\\Extensions folder. The installer also modifies the Secure Preferences\r\nfile, which contains Chrome settings, including information about extensions. As soon as this is done, the extension becomes\r\nactive.\r\nSimilar to previous families, the extension changes the default search engine. In this case, it sets it to\r\nhxxps[:]//www.ctcodeinfo[.]com. In addition, the attackers extract Facebook session cookies — secrets stored in the browser\r\nthat hold identification data allowing users to stay logged in — and send them to their own servers. Using these cookies,\r\nthey are able to quickly log in to the victim’s Facebook account and hijack it by changing the login details. Once inside the\r\naccount, the attackers can ask the victim’s friends for money, trying to get as much as possible before the user regains access\r\nto the account.\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 10 of 12\n\nAttackers use script obfuscation techniques to hide malicious code\r\nConclusion and recommendations\r\nBrowser extensions remain one of the most common ways for cybercriminals to get money, whether by redirecting users to\r\naffiliate pages, cookie stuffing or even stealing the victim’s credentials. Hence, numerous users might wonder: is it worth\r\ndownloading browser extensions at all if they carry so many threats? We believe that extensions only improve the user\r\nonline experience, and some add-ons can even make devices a lot safer. That said, it’s important to keep an eye on how\r\nreputable and trustworthy the developer is, and what permissions the extension asks for. If you follow the recommendations\r\nfor safe use of browser extensions, the risk of encountering the threats described above will be minimal.\r\nTo stay safe while using browser add-ons:\r\nOnly use trusted sources to download software. Malware and unwanted applications are often distributed through\r\nthird-party resources, where no one checks their security like official web stores do. These applications may install\r\nmalicious or unwanted browser extensions without the user knowing about it, and perform other malicious or\r\nunwanted activity.\r\nSince extensions add extra functionality to browsers, they require access to various resources and permissions — you\r\nshould carefully examine add-on requests before agreeing to them.\r\nLimit the number of extensions used at any one time and periodically review your installed extensions. Uninstall\r\nextensions that you no longer use or that you do not recognize.\r\nUse a robust security solution. Private Browsing in Kaspersky Internet Security, for example, prevents online\r\nmonitoring and protects you from web threats.\r\nIndicators of compromise\r\nWebSearch extension MD5\r\ndd7bd821cd4a88e2540a01a9f4b5e209\r\nWebSearch extension ID\r\nkpocjpoifmommoiiiamepombpeoaehfh\r\nfncbkmmlcehhipmmofdhejcggdapcmon\r\nmallpejgeafdahhflmliiahjdpgbegpk\r\nceopoaldcnmhechacafgagdkklcogkgd\r\nmabloidgodmbnmnhoenmhlcjkfelomgp\r\nDealPly installer MD5\r\nE91538ECBED3228FF5B28EFE070CE587\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 11 of 12\n\nDealPly-related extension MD5\r\n38a7b26c02de9b35561806ee57d61438\r\nDealPly-related extension ID\r\nbifdhahddjbdbjmiekcnmeiffabcfjgh\r\nncjbeingokdeimlmolagjaddccfdlkbd\r\nnahhmpbckpgdidfnmfkfgiflpjijilce\r\npilplloabdedfmialnfchjomjmpjcoej\r\nAddScript extension MD5\r\n28a18438e85aacad71423b044d0f9e3c\r\nAddScript extension ID\r\nhdbipekpdpggjaipompnomhccfemaljm\r\nlfedlgnabjompjngkpddclhgcmeklana\r\naonedlchkbicmhepimiahfalheedjgbh\r\noobppndjaabcidladjeehddkgkccfcpn\r\nNullMixer MD5\r\nF94BF1734F34665A65A835CC04A4AD95\r\nFBStealer extension installer MD5\r\n5010c3b42d269cb06e5598a5b1b143a5\r\nFBStealer extension ID\r\ncolgdlijdieibnaccfdcdbpdffofkfeb\r\nfdempkefdmgfcogieifmnadjhohaljcb\r\nSource: https://securelist.com/threat-in-your-browser-extensions/107181\r\nhttps://securelist.com/threat-in-your-browser-extensions/107181\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://securelist.com/threat-in-your-browser-extensions/107181" ], "report_names": [ "107181" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434005, "ts_updated_at": 1775826751, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7ec170b71143e19a8897dcb8d4a006fa45afe194.pdf", "text": "https://archive.orkl.eu/7ec170b71143e19a8897dcb8d4a006fa45afe194.txt", "img": "https://archive.orkl.eu/7ec170b71143e19a8897dcb8d4a006fa45afe194.jpg" } }