FHN 
Security researchers from LayerX have uncovered a large and well-organized campaign involving at least 12 malicious browser extensions on Google Chrome and Microsoft Edge.
These extensions were disguised as TikTok video download tools, tricking users into installing them. In reality, they were designed to track user behavior and collect sensitive information. The campaign has already affected more than 130,000 users, with thousands of installations still active.
Instead of building each extension from scratch, the attackers reused a single core codebase. They simply changed names and branding, using titles like “TikTok Video Downloader” or “Mass TikTok Downloader.” When one extension was removed from the store, a nearly identical version was quickly uploaded again, often using the same images and descriptions.
Some of these malicious extensions even received a “Featured” badge in official marketplaces, which increased user trust and led to higher download numbers.
How the Attack Works
A key part of this campaign is the use of remote configuration. The extensions are built using Manifest V3 (MV3), which allows them to fetch instructions from attacker-controlled servers after installation.
This means the extensions do not show harmful behavior immediately. Instead, they operate normally for several months, sometimes between six to twelve months, to build a positive reputation and avoid suspicion.
Once enough users have installed them, the attackers activate malicious features remotely. At that point, the extensions can change their behavior instantly without any update or user permission.
They can modify their functions, enable hidden features, redirect traffic to unsafe websites, and expand the amount of data they collect over time.
Data Collection and User Tracking
After activation, the extensions begin collecting detailed user data. This goes beyond basic tracking and is used to create a strong digital fingerprint for each user.
The collected data includes browsing patterns, frequency of use, details about downloaded content, system language, and time zone settings. They also track device battery status, which is an unusual but highly specific signal that helps identify users more accurately.
This combination of data allows attackers to track users across multiple sessions and websites.
Command and Control System
The extensions rely on external servers to receive instructions. These servers provide configuration files that control how the extensions behave.
To avoid detection, the attackers use typosquatting techniques, creating domain names that look very similar to legitimate ones. Small spelling changes make them appear trustworthy at first glance, helping them bypass basic checks.
Although the campaign has not been officially linked to a specific hacking group, the shared infrastructure and coordinated activity suggest a single, organized threat actor behind it.
Why This Is a Serious Threat
This campaign highlights a major weakness in browser security. Most security checks focus only on the time of installation, assuming that approved extensions will remain safe.
However, these extensions change their behavior later using remote commands, making them difficult to detect. Since they operate within the browser, they can access sensitive data and may even be used in larger attacks, such as data theft or botnet activity.
To defend against such threats, security experts recommend continuous monitoring of extension behavior, rather than relying only on initial approval checks.
About the Author
