Researchers have discovered a campaign of malicious browser extensions available in the official Chrome and Edge web stores. The extensions, which were downloaded over 2 million times, offered legitimate functionality but secretly deployed browser hijacking mechanisms to track users’ online behavior.
The malicious extensions, dubbed “sleeper agents,” were able to remain undetected for months before activating their tracking capabilities. Once activated, the extensions captured URL data, sent it to remote servers, and received instructions from command and control (C&C) servers. The C&C servers then redirected users to fake websites or instructed them to download malware.
One example of a malicious extension was a search extension that posed as Chat GPT. When clicked, it would redirect users to a fake update page, leading them to download additional malware onto their systems. In total, 1.7 million people installed the malicious extensions from Chrome and 2.3 million users were affected.
To protect themselves, users should check for the presence of these malicious extensions and take the following steps:
– Clear all browsing data
– Monitor accounts for suspicious activity
– Enable two-factor authentication
– Reset browser settings to default
– Keep browsers and extensions up-to-date
– Run a full system Malwarebytes scan
It is essential to be cautious when installing browser extensions, as not all extensions available in official web stores are safe. In fact, the risk of downloading an extension from outside the web store is even greater due to the lack of review and testing processes.
The list of malicious extensions includes Emoji keyboard online, Free Weather Forecast, Unlock Discord, and others. Users can check their browser for these extensions and take immediate action to protect themselves from potential harm.
Source: https://www.malwarebytes.com/blog/news/2025/07/millions-of-people-spied-on-by-malicious-browser-extensions-in-chrome-and-edge