🚨 Overview
DomainTools and LayerX collaborated to uncover over 40 malicious Chrome extensions that serve dual purposes:
- Masquerading as legitimate tools like VPNs, crypto tools, productivity apps
- Acting as phishing tools and persistent access points for attackers
🧪 Origin of Discovery
- DomainTools’ Threat Intelligence team detected malicious infrastructure via DNS and domain behavior analytics
- Initial detection occurred through suspicious domains like
calendly-daily[.]com,aiwriter[.]expert, etc. - Further analysis showed these domains were linked to browser extensions communicating with them regularly
📡 C2 Infrastructure & TTPs
- All extensions phone home to attacker-controlled domains
- Common TTPs (tactics, techniques, procedures) included:
- Brand impersonation using cloned extension pages
- AI-generated content for scalability
- Consistent publisher email patterns (e.g. support@[domain])
🎭 Dual Function: Utility + Exploitation
These extensions offer seemingly useful functions like PDF converters, crypto trackers, or calendar apps — while simultaneously:
- Tracking keystrokes and clipboard data
- Capturing tokens/session data
- Redirecting users to phishing pages
🧠 LayerX Extension Analysis
LayerX investigated each browser extension by:
- Collecting extension IDs, names, publishers, and metadata
- Cross-referencing permissions and update timestamps
- Identifying overlapping infrastructure and branding
📋 List of Malicious Extension IDs
| Extension ID | Extension Name | Publisher |
|---|---|---|
| ccollcihnnpcbjcgcjfmabegkpbehnip | FortiVPN | https://forti-vpn[.]com/ |
| aeibljandkelbcaaemkdnbaacppjdmom | Manus AI | Free AI Assistant | https://manusai[.]sbs |
| fcfmhlijjmckglejcgdclfneafoehafm | Site Stats | https://sitestats[.]world |
| abbngaojehjekanfdipifimgmppiojpl | Clothing Brand Name Generator | https://clothingbrandnamegenerator[.]app |
| dohmiglipinohflhapdagfgbldhmoojl | DeBank – Digital Assets | winchester[.]abram37 |
| acmiibcdcmaghndcahglamnhnlmcmlng | AML Sector | Free Crypto AML Checker | https://amlsector[.]com |
| mipophmjfhpecleajkijfifmffcjdiac | Crypto Whales Vision | https://cryptowhalesvision[.]world |
| cknmibbkfbephciofemdjndbgebggnkc | Calendly Daily | https://calendly-daily[.]com |
| gmigkpkjegnpmjpmnmgnkhmoinpgdnfc | Calendly Docket | https://calendly-docket[.]com |
| ahgccenjociolkbpgbfibmfclcfnlaei | CreativeHunter – Free tool for Facebook | https://creativehunter[.]world |
| kjhjnbdjonamibpaalanflmidplhiehe | Twin Web | https://twin-web[.]world |
| pobknfocgoijjmokmhimkfhemcnigdji | EventSphere | https://eventphere[.]com |
| iclckldkfemlnecocpphinnplnmijkol | SQLite browser | https://sqlitebrowser[.]app |
| jmpcodajbcpgkebjipbmjdoboehfiddd | DeepSeek AI Chat | https://ai-chat-bot[.]pro |
| ihdnbohcfnegemgomjcpckmpnkdgopon | AI Sentence Rewriter | https://ai-sentence-rewriter[.]com |
| oeefjlikahigmlnplgijgeeecbpemhip | Convert PDF to JPG | https://pdf-to-jpg[.]app |
| aofddmgnidinflambjlfkpboeamdldbd | HTML validator | https://htmlvalidator[.]app |
| acchdggcflgidjdcnhnnkfengdcmldae | CMS Checker | https://cmschecker[.]app |
| albakpncdngcejcjdahomfbkakbmafgb | Hourly to salary calculator | https://hourlytosalarycalculator[.]app |
| hhlcpmdhlcoghhfgiiopcjbkfmdliknc | CSS validator | https://cssvalidator[.]app |
| eheagnmidghfknkcaehacggccfiidhik | Email checker | https://email-checker[.]pro |
| ckcfkaikieiicfdeomgehmnjglnofhde | Crypto Whale Alert | https://crypto-whale[.]top |
| pbpobpjppnecgcinajfpaninmjkdbidm | Web Analytics | https://web-analytics[.]top |
| gdfjahfbaillhkeigeinoomhjnfajbon | Ad Vision | https://ad-vision[.]click |
| eoalbaojjblgndkffciljmiddhgjdldh | Madgicx Plus | https://madgicx-plus[.]com |
| odhmhkkhpibfjijmpgcdjondompgocog | Similar Net | https://similar-net[.]com |
| ohhhngpnknpdhmdmpmoccgjmmkkleipn | Meta Spy | https://meta-spy[.]help |
| nejfdccopmpimplhmmdfjobodgeaoihd | Free VPN – Raccoon | https://raccoon-vpn[.]world |
| dhhmopcmpiadcgchhhldcpoeppcofdic | Free VPN – Orchid | https://orchid-vpn[.]com |
| ffmfnniephcagojkpjddjiogjeoijjgl | VPN Free – Soul VPN | https://soul-vpn[.]com |
| nabbdpjneieneepdfnmkdhooellilgho | Website monitoring | https://websitemonitoring[.]pro |
| mldeggofnfaiinachdeidpecmflffoam | AI Writer | https://aiwriter[.]expert |
| pndmbpnfolikhfnfnkmjkkpcgkmaibec | AI Ad Generator | https://aiadgenerator[.]app |
| elipckbifniceedgalakgnmgeimfdcdi | Headline Generator | https://headlinegenerator[.]app |
| kkgmdjjpobmenpkhcclceelekpbnnana | Web Watch | https://webwatch[.]world |
| dcnjgfafcnopabhpgoekkgckgkkddpjg | YouTube Vision | https://youtube-vision[.]world |
| mllkmmdaapekjehapekhjjiednchgmag | Web Metrics | https://web-metrics[.]link |
| bhahpmoebdipfoaadcclkcnieeokebnf | Bitcoin price live | https://bitcoin-price[.]live |
| oliiideaalkijolilhhaibhbjfhbdcnm | Link shortener | https://u99[.]pro |
For the official source and future updates, visit: LayerX Security Blog
