Fake Productivity Tools: 5 Malicious Chrome Extensions Hijack Enterprise Sessions

A new and sophisticated campaign targeting enterprise environments has been uncovered by Socket’s Threat Research Team. Five malicious Google Chrome extensions, masquerading as productivity tools for major platforms like Workday, NetSuite, and SAP SuccessFactors, have been found stealing authentication tokens and hijacking user sessions.

These extensions, which include DataByCloud Access, Data By Cloud 1, Data By Cloud 2, Tool Access 11, and Software Access, have collectively reached over 2,300 users. While they promise to streamline workflows and provide “premium tools,” their actual function is to infiltrate corporate networks and neutralize security responses.

The attackers have wrapped their malware in a veneer of professional legitimacy. The extensions feature polished dashboards and request standard permissions that don’t immediately raise red flags.

“The extensions market themselves as productivity tools that streamline access to enterprise platforms… [targeting] users who work across multiple accounts or need faster workflows.”

However, beneath this facade lies a coordinated malware operation. Socket’s analysis reveals that these tools share identical code structures, API endpoints, and security tool detection lists, pointing to a single threat actor.

The campaign employs a triad of malicious techniques to compromise accounts and maintain control:

1. Cookie Exfiltration: The extensions continuously harvest session tokens. For instance, DataByCloud Access extracts cookies named _session and transmits them to a command-and-control (C2) server every 60 seconds. “This ensures the threat actor maintains current tokens even when users log out and back in during normal workflows.”
2. Session Hijacking: The Software Access extension takes theft a step further with bidirectional cookie injection. It retrieves stolen credentials from the attacker’s server and injects them directly into the victim’s browser, enabling the attacker to bypass multi-factor authentication (MFA). “Software Access’s bidirectional cookie injection eliminates authentication requirements entirely, allowing the threat actor to access compromised accounts without passwords.”
3. Blocking Incident Response: Perhaps the most insidious feature is the ability to blind security teams. Extensions like Data By Cloud 2 and Tool Access 11 actively monitor for and block access to critical administrative pages. “The blocking extensions create a containment failure scenario. Security teams can identify suspicious activity… but every standard remediation action is blocked.”

Blocked pages include password change forms, 2FA device management, and security audit logs. When an administrator attempts to access these pages, the extension instantly wipes the content and redirects them, effectively locking the defenders out of their own control panels.

The malware authors have also implemented measures to evade detection by researchers. Some variants include the DisableDevtool library to prevent code inspection and use “RegExp toString modification” to detect if a debugger is active.

“No legitimate extension implements mechanisms to prevent users from inspecting their own password fields or blocks developer tools from opening. These capabilities exist solely to hide malicious behavior.”

By compromising the tools employees use daily, attackers can bypass perimeter defenses and gain direct access to sensitive HR and ERP data. Organizations are advised to audit their browser extension policies and investigate any installations of the identified malicious add-ons.

Related Posts:

• Malicious Chrome Extension Infects Over 100,000 Users
• Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
• 3.2 Million Users Exposed by Malicious Browser Extensions
• New Chrome and Firefox malicious extensions prevent user removal to hijack browsers