{
	"id": "d97d4d40-0189-427c-aae0-e79888fc4b69",
	"created_at": "2026-04-06T01:31:22.262562Z",
	"updated_at": "2026-04-10T13:11:29.917394Z",
	"deleted_at": null,
	"sha1_hash": "eab93a2749c296e485caaf80012ad055827e6216",
	"title": "Threat actor goes on a Chrome extension hijacking spree | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2902669,
	"plain_text": "Threat actor goes on a Chrome extension hijacking spree | Proofpoint US\r\nBy August 14, 2017 Kafeine\r\nPublished: 2017-08-14 · Archived: 2026-04-06 00:57:23 UTC\r\nOverview\r\nChrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier\r\nposting of content on social media to integrated developer tools. At the end of July and beginning of August, several Chrome\r\nExtensions were compromised after their author’s  Google Account credentials were stolen via a phishing scheme. This\r\nresulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.\r\nWe specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”,\r\n“Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12]  were\r\nmodified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and\r\nBetternet VPN were also compromised in the same way at the end of June.\r\nAnalysis\r\nOn August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure\r\n1).\r\nFigure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension\r\nWe retrieved the compromised version and isolated the injected code.\r\nFigure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 1 of 14\n\nFigure 3: Snippet of the inserted code in content.js from the compromised version of Web Developer 0.4.9\r\nIn general terms, the compromised extension first checks to ensure that the Chrome Extension has been installed for 10\r\nminutes using the following line of code:\r\nif ((Date.now() - installed) \u003e 10 * 60 * 1000)\r\nBefore proceeding with the rest of the extension code, compromised components of the extension retrieve a remote file,\r\nga.js, over HTTPS from a server whose domain is generated via a domain generation algorithm (DGA):\r\nvar date = new Date();\r\nvar day = date.getUTCDate();\r\nvar month = date.getUTCMonth() + 1;\r\nvar year = date.getUTCFullYear();\r\nvar hour = date.getUTCHours();\r\nvar d = day + '-' + month + '-' + year;\r\nvar hash = \"wd\" + md5(d) + \".win\";\r\nOn August 2, for example, the network request was:\r\nhttps://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js.\r\nAt that time, the file was served by Cloudflare.\r\nThe day after, the network request was:\r\nhttps://wd8a2b7d68f1c7c7f34381dc1a198465b4[.]win/ga.js\r\nFigure 4: Step 1 remote ga.js code called by the victim’s browser using the compromised extension - retrieved August 3,\r\n2017\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 2 of 14\n\nFigure 5: Array contained in the ga.js after unescaping; note that Cloudflare immediately removed the domains when we\r\nnotified them of the malicious activity\r\nThe code from this first step allows the threat actors to conditionally call additional scripts including some to harvest\r\nCloudflare credentials:\r\nFigure 6: Conditionally called Step 2 script allowing the actor to grab and exfiltrate Cloudflare credentials after the victim’s\r\nlogin\r\nAt step 2, several other scripts can be called (Figure 7):\r\nFigure 7: Some of the calls generated by the injected ga.js\r\nAs shown in Figure 8, the compromised version of the extension attempts to substitute ads on the victim’s browser,\r\nhijacking traffic from legitimate advertising networks.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 3 of 14\n\nFigure 8: Sample of strings that trigger a substitution attempt (from 973820_BNX.js?rev=133)\r\nWhile the attackers substituted ads on a wide range of websites, they devoted most of their energy to carefully crafted\r\nsubstitutions on adult websites (Figure 9).\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 4 of 14\n\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 5 of 14\n\nFigure 9: Code snippet demonstrating the extensive effort involved in properly substituting advertisements in adult websites;\r\nretrieved on August 3, 2017 from 973820_BNX.js?rev=133\r\nFigure 10 shows several additional triggers for advertising substitutions, again on adult websites and particular advertising\r\nnetworks:\r\nFigure 10: Other substitution triggers (695529_BNX.js?rev=144)\r\nThe advertising substitutions work for a specific set of 33 common banner sizes including 468x60, 728x90, and many more\r\nspanning numerous aspect ratios (Figure 11).\r\nFigure 11: Banner formats handled by the compromised extension based on a version retrieved on August 3, 2017 rom\r\n973820_BNX.js?rev=133\r\nThe advertising calls themselves specify the substituted banner format. For example, one particular ad call read:\r\nb.partner-net[.]men/code/x/b/?pid=973820\u0026adu=0\u0026s=468x60\r\nIn many cases, victims were presented with fake JavaScript alerts prompting them to “repair” their PC then redirecting them\r\nto affiliate programs from which the threat actors could profit. Figure 12 shows a malvertising chain that brings users from\r\nthe fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although\r\nothers may also have been used.\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 6 of 14\n\nFigure 12: Chain to affiliate program from a  fake JavaScript alert\r\nThe code generating the fake alert page is shown in Figure 13:\r\nFigure 13: Code generating the fake JavaScript alert\r\nFigure 14: One of the affiliate programs receiving the hijacked traffic\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 7 of 14\n\nFigure 15: Another affiliate program receiving the hijacked traffic.\r\nThe popup alerts were also reported in May with the “Infinity New Tab” compromise. The involved code in that\r\ncompromised extension [5] is almost identical, but the DGA was slightly different:\r\nvar day = date.getDate();\r\nvar month = date.getMonth() + 1;\r\nvar year = date.getFullYear();\r\nvar d = month + '/' + year;\r\nvar tds_url = 'http://' + md5(d) + '.pro/tds.php?subid=ce';\r\nThe same malicious activity was also reported in some fake EU Cookie-Consent alerts [6] (Figure 16). The server involved\r\nin those cases, browser-updates[.]info, is the same as the one used in the “Infinity New Tab” case and most likely is an old\r\nfront for the same backend as redirect2[.]top and loading[.]website. While those details are outside the scope of this blog, it\r\nis worth noting that examining these activities allows us to trace them back to @BartBlaze’s post from July 2016 [7]:\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 8 of 14\n\nFigure 16: One of the servers currently used by this group to publish a trapped cookie-consent JavaScript script\r\nFigures 17-19 show that this activity is able to generate substantial traffic:\r\nFigure 17: Alexa report on browser-update[.]info\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 9 of 14\n\nFigure 18: Similarweb report on searchtab[.]win\r\nFigure 19: Alexa report on partner-net[.]men\r\nThe Phishing\r\nOur colleagues at Phishme have already examined the credential phishing that originally allowed the actors to compromise\r\nthe extensions [3]; the Web Developer extension case was almost identical:\r\nFigure 20: Screenshot of the email used to harvest extension coder credentials\r\nConclusion\r\nThreat actors continue to look for new ways to drive traffic to affiliate programs [13] and effectively surface malicious\r\nadvertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic\r\nand substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing\r\ncampaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to\r\nquestionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the\r\nactors with new means of potential future attacks.\r\nAcknowledgements\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 10 of 14\n\nWe would like to thank Cloudflare for their immediate action upon notification of malicious activity using their hosting\r\nservice.\r\nWe would also like to thank Chris Pederick (author of the Web Developer extension) for sharing data tied to the phishing\r\nand how he and the CopyFish author transparently handled the incidents.\r\nReferences\r\n[1] https://twitter.com/chrispederick/status/892768218162487300\r\n[2] http://chrispederick.com/blog/web-developer-for-chrome-compromised/\r\n[3] https://phishme.com/even-smart-ones-fall-phishing/\r\n[4] https://www.centbrowser.com/forum/printthread.php?tid=1394\u0026page=2\r\n[5] https://pastebin.com/pHf7EHRG\r\n[6] https://forum.joomla.org/viewtopic.php?t=956912\r\n[7] https://bartblaze.blogspot.co.uk/2016/07/eu-cookie-law-and-fake-chrome-extensions.html\r\n[8] http://infinitynewtab.com/notice.html\r\n[9] https://a9t9.com/blog/chrome-extension-adware/\r\n[10] https://pastebin.com/pHf7EHRG\r\n[11] https://gist.github.com/FelixWolf/066fd5ca2672f15089e7712827140bd9\r\n[12] https://www.facebook.com/socialfixer/posts/10155117415829342\r\n[13] https://www.proofpoint.com/us/threat-insight/post/pyramid-schemes-go-high-tech-affiliate-spam-and-malware-affiliates\r\nIndicators of Compromise\r\nIOCs\r\nclick.rdr11[.]top|31.186.103.146\r\nchromedevelopment[.]site|31.186.103.147\r\nlogin.chromeextensions[.]info|31.186.103.149\r\nchromeextensions[.]info|31.186.103.149\r\nwd8a2b7d68f1c7c7f34381dc1a198465b4[.]win|104.131.30.88\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 11 of 14\n\nwd7bdb20e4d622f6569f3e8503138c859d[.]win|104.131.30.88\r\nloading[.]website|162.255.119.12\r\nsearchtab[.]win|104.131.67.58\r\nredirect2[.]top|104.131.67.58\r\nbrowser-updates[.]info|198.54.117.212\r\nbrowser-updates[.]info/firebase_subscribe.js\r\nimagetwist[.]info|174.138.62.139\r\nhttps://wd7bdb20e4d622f6569f3e8503138c859d[.]win/ga.js\r\nhttp://searchtab[.]win/ga.js\r\nhttp://redirect2[.]top/ga.js\r\nhttp://partner-net[.]men/code/pid/linkcheck.js?rev=133\r\nhttps://f.partnerwork[.]men/code/code/index_4.php\r\nhttps://f.partnerwork[.]men/code/code/mss_3.js\r\nhttps://y.partnerwork[.]men/code/code/index_3.php\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 12 of 14\n\nhttp://partner-net[.]men/code/pid/973820_BNX.js?rev=133\r\nhttp://partner-net[.]men/code/?pid=973820\u0026r=\r\nlogin.chromedevelopment[.]site|31.186.103.147\r\ny.partnerwork[.]men|185.147.15.35\r\nf.partnerwork[.]men|185.147.15.37\r\nf.partnerwork[.]men|185.147.15.37\r\npartner-net[.]men|95.211.68.187\r\npartner-net[.]men|95.211.68.186\r\nb.partner-net[.]men|\r\nhttp://land.pckeeper[.]software/land/7.13.222/index.php?\r\naffid=mzb_251.563088.1501708560.18.mzb\u0026utm_source=prfl\u0026utm_medium=cps\u0026utm_campaign=pck_prfl_cps_ww_713\u0026utm_term=\u0026utm_content\r\nhttp://land.pckeeper[.]software/land/7.13.222/index.php?\r\naffid=mzb_281.2294418.1495859377.18.mzb\u0026utm_source=maxb\u0026utm_medium=cps\u0026utm_campaign=pck_maxb_cps_eu2_713\u0026utm_term=\u0026utm_co\r\nhttp://wlp.cleanmypc[.]online/mxbt1/?x-context=496906380\u0026utm_source=mxapcfx5\u0026utm_campaign=mxapcfx5\u0026pxl=MXA2240_MXA2193_RUNT\u0026\r\ncookie-policy[.]org|45.55.128.61\r\ncdn2[.]info|45.55.128.61\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 13 of 14\n\ncdn8[.]info|45.55.128.61\r\ncdn.cookiescript[.]info|52.222.226.223\r\ncdn.front[.]to|162.243.105.107\r\nUA-103045553-1\r\n283599517713\r\nganalytics[.]win|104.131.30.88\r\n92fffe0ba52da491a2b7576627f3693a[.]pro\r\n7ce508e6099e31f68c2fd50c362f087d[.]pro\r\npartner-print[.]men|185.147.15.39\r\nextstat[.]com|185.147.15.39\r\nSource: https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nhttps://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree\r\nPage 14 of 14\n\nresulted in hijacking We specifically examined of traffic and exposing the “Web Developer users to potentially malicious 0.4.9” extension compromise, popups and credential theft. but found evidence that “Chrometana 1.1.3”,\n“Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12] were\nmodified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and\nBetternet VPN were also compromised in the same way at the end of June.  \nAnalysis    \nOn August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure\n1).    \nFigure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension\nWe retrieved the compromised version and isolated the injected code.  \nFigure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised\n  Page 1 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/threat-actor-goes-chrome-extension-hijacking-spree"
	],
	"report_names": [
		"threat-actor-goes-chrome-extension-hijacking-spree"
	],
	"threat_actors": [],
	"ts_created_at": 1775439082,
	"ts_updated_at": 1775826689,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eab93a2749c296e485caaf80012ad055827e6216.pdf",
		"text": "https://archive.orkl.eu/eab93a2749c296e485caaf80012ad055827e6216.txt",
		"img": "https://archive.orkl.eu/eab93a2749c296e485caaf80012ad055827e6216.jpg"
	}
}