Malicious Firefox Extensions Unmasked: Fake Games, VPNs, & Calendar Tools Hijack Traffic, Steal Crypto & OAuth Tokens
Ddos 
Mozilla browser extension VPN-Grab A Proxy-Free | Image: Socket
A new report by the Socket Threat Research Team has uncovered a sprawling network of malicious Firefox browser extensions designed to exploit user trust, hijack affiliate links, steal credentials, and even reroute traffic through attacker-controlled proxies. What began as an investigation into a single fake gaming extension quickly spiraled into the discovery of a multi-year campaign with sophisticated monetization and surveillance capabilities.
βEach extension masquerades as popular, well-known games to exploit user familiarity and trust,β notes the Socket team. βNone of these extensions provide actual gaming functionality.β
The investigation started with a fraudulent version of Shell Shockers, but quickly expanded to include other popular titles: Little Alchemy 2, 1v1.LOL, Krunker io, Five Nights at Freddy’s, and Bubble Spinner. The extensions, created by a threat actor known as mre1903, had been hiding in plain sight since at least 2020βexploiting playersβ trust in familiar games.
βBy impersonating this beloved game, the extension immediately gains user trust and bypasses initial skepticism,β the report explains.
Instead of offering gameplay, the extensions automatically redirected users to scam destinations like fake Apple virus warnings. One piece of malicious code even triggered this behavior the moment the extension was installed:
These pop-ups often displayed fake error codes (like “0x800VDS”) and phishing support numbers designed to trick users into surrendering personal or financial information.
Socket’s report didnβt stop at fake games. The team uncovered a wider web of malicious extensions, all exploiting different user demographics:
GimmeGimme: The Affiliate Hijacker
Pretends to: Be a wishlist extension for major Dutch retailers like bol.com and coolblue.nl.
Actually does: Hijacks user shopping sessions and redirects through affiliate links to steal commissions.
βUsers unknowingly generate revenue for attackers while being denied the promised functionality,β the report warns.
Worse still, this infrastructure could be repurposed for tracking, credential harvesting, or full malware delivery.
VPN Grab A Proxy Free: Proxy with a Price
Pretends to: Offer free VPN protection.
Actually does: Silently injects tracking iframes and routes all user traffic through attacker-controlled proxies.
This opens the door to man-in-the-middle attacks, logging of sensitive data, and decryption of HTTPS connections.
CalSyncMaster: OAuth Token Theft
Pretends to: Sync Google Calendar for convenience.
Actually does: Steals Google OAuth tokens via manipulated auth flows.
βThe stolen tokens remain valid until explicitly revokedβ¦ providing persistent access that may go undetected for months,β the report notes.
These tokens allow attackers to spy on personal meetings, company calendars, and even business operationsβfuel for social engineering or corporate espionage.
From redirect fraud and phishing to OAuth abuse and network interception, this campaign demonstrates how browser extensions can evolve into full-fledged malware platforms. The modular, permission-rich nature of extensions makes them ideal for long-term threat actors seeking stealth and persistence.
Related Posts:
- Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- Phishing for Profits: Attackers Mine Crypto & Spam Through OAuth Apps
- New Chrome and Firefox malicious extensions prevent user removal to hijack browsers
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
- Malicious Chrome Extension Infects Over 100,000 Users
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
