Fake AI Ad Tool “Madgicx Plus” Hijacks Meta Advertiser Accounts

Cybereason Security Services has uncovered a malicious Chrome extension campaign targeting Meta (Facebook and Instagram) advertisers. Branded as “Madgicx Plus,” a fake AI-driven ad optimization tool, the extension is designed to hijack business sessions, steal credentials, and compromise advertiser accounts.

According to Cybereason, “the latest version shifts focus to Meta (Facebook/Instagram) advertisers through a newly crafted lure: ‘Madgicx Plus,’ a fake AI-driven ad optimization platform.” The extension promises to boost ad ROI with artificial intelligence but instead delivers dual-purpose malware capable of credential theft and account takeover.

Threat actors set up professionally crafted domains such as madgicx-plus[.]com and madgicxads[.]world to distribute the extensions. Cybereason explains that “domains previously linked to other malicious extensions have been repurposed to deliver the fake Madgicx Plus site, suggesting continuity of infrastructure and indicating that this is likely an evolution of the same campaign rather than the work of unrelated copycats.”

A static review revealed overreaching permissions. The advisory highlights: “Host_permissions grant full access to all websites the user visits… enabling the extension to inject content scripts, read DOM data, and potentially hijack sessions across any domain.”

It also abuses Chrome’s Declarative Net Request API to strip HTTP Origin headers, a trick to bypass Facebook’s origin validation. The extension then steals session tokens, which allow attackers to impersonate victims without knowing their passwords. As Cybereason notes, “By stealing a valid session token, the extension bypasses the need for login credentials entirely and can impersonate the victim directly.”

Dynamic analysis confirmed this behavior: “Once a user links their Google account, the extension quietly stores sensitive account details within its local storage… then quickly escalates by prompting the user to connect their Facebook account.” This staged attack gives adversaries access to both Google and Meta accounts, widening the scope of compromise.

The campaign’s infrastructure was traced back to IP address 185.245.104[.]195, hosted by VDSina, a provider previously associated with malicious operations. Cybereason points out, “Even though the site was hosted behind Cloudflare, by analyzing the website’s hosted resources, it was possible to identify unique artifacts that led to the origin server’s IP address.”

The reuse of infrastructure across phases, combined with sophisticated permission abuse, indicates that this is a coordinated, evolving campaign rather than scattered copycats.

For digital marketers and businesses, this campaign is a stark reminder that even extensions appearing to enhance productivity or ad performance can mask sophisticated threats. Advertisers should scrutinize all browser extensions, verify sources, and monitor for unauthorized account activity.

Related Posts:

• Cybereason Uncovers Widespread Exploitation of Apache ActiveMQ Vulnerability
• Google Ads Safety Report: AI Drives Fraud Prevention
• Facebook advertisers use user’s sensitive information to display ads