108 Coordinated Chrome Extensions Hijack Your Private Telegram Sessions

Socket’s Threat Research Team identified 108 malicious Chrome extensions operating as a coordinated campaign under a shared C2 infrastructure at cloudapi[.]stream.

This isn’t just a few rogue scripts; it’s a professional-grade malware operation. Collectively, these extensions account for approximately 20,000 installs, targeting everyone from casual gamers to Telegram power users.

The genius of this campaign lies in its camouflage. The extensions are spread across five distinct publisher identities—Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt—appearing to be separate entities to the casual observer. However, the code tells a different story: “All 108 route stolen credentials, user identities, and browsing data to servers controlled by the same operator”.

To lure victims, the attackers focused on utility and entertainment. “The extensions are published across several product categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and page utility extensions”.

The deception is deep. As the report notes: “Users installing a Telegram sidebar extension see a functional chat interface. Users installing a slot game get a working game. The legitimate surface exists, but so does malicious code running in the background, connected to a C2 server that can steal identities, exfiltrate sessions, and open arbitrary URLs in the user’s browser”.

Among the most dangerous tools in this arsenal is the Telegram Multi-account extension. It’s more than just a convenience tool; it’s a session-hijacking machine. “The most severe extension in the campaign is Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa). It steals the active Telegram Web session from the victim’s browser and transmits it to tg[.]cloudapi [.]stream/save_session.php every 15 seconds”. By polling every 15 seconds, the attacker maintains a live, mirrored view of the victim’s account.

Beyond Telegram, the campaign casts a wide net for Google credentials. Fifty-four of the extensions are designed to harvest Google account identities via OAuth2 tokens. While the tokens themselves never leave the browser, they are used to fetch a permanent record of the victim’s email, name, and persistent account identifier (the sub field), giving the operator a permanent map of their victims.

The campaign also features a universal persistence mechanism. Forty-five of the extensions contain a function called loadInfo() in their background scripts. “The operator’s server receives the extension ID on every browser start. If the response includes infoURL, the extension silently opens that URL in a new tab”.

This backdoor operates independently of the user’s actions. It survives browser restarts and allows the attacker to force open any URL—from phishing pages to exploit kits—without the user ever touching the extension UI.

While the publishers have different names, the underlying infrastructure is unified. All 54 identity-stealing extensions use OAuth2 client IDs tied to just two Google Cloud projects, providing “the strongest single piece of evidence for unified ownership”.

The technical “fingerprints” also suggest an origin in the Eastern European region. Russian-language debug strings were found in the console output, and one of the primary support emails—kiev3381917@gmail[.]com—was found buried in the bundled privacy policy files.

Socket has already submitted takedown requests to the Chrome Web Store security team and Google Safe Browsing. Until these are fully purged, users are advised to audit their installed extensions and treat “third-party” sidebar clients with extreme caution.