Ddos 
Browser security firm LayerX has identified a covert network of malicious Chrome extensions acting as βsleeper agentsββseemingly benign tools that could be activated for malicious purposes at any time. Installed on nearly 1.5 million devices worldwide, these extensions mask themselves as audio enhancers while concealing sophisticated code capable of exfiltration, surveillance, or malware deployment.
While these extensions claim to help users manage in-browser sound, LayerXβs reverse engineering reveals a different reality:
- Common code base linked to known malicious extensions like ReadBee
- Remote command execution enabled via external configuration files
- Encrypted and obfuscated communications with malicious domains
- Silent background tab execution to access URLs and run commands
βThe extensions communicate with external URLs, including known malicious domainsβ¦ and use encryption and base64 code obfuscation to encrypt external communications,β LayerX states.
One of the more capabilities uncovered was the ability to load remote configurations and open arbitrary tabs, all without user interaction. This was seen previously in ReadBee, a Chrome extension that silently tracked users and performed redirections for affiliate fraud.
A key component of that infrastructure, called ExtStatTracker, demonstrates how these extensions silently coordinate through chrome.storage, allowing updates and commands to be dynamically injected post-installation:
“This telemetry logic is embedded in the background script and is not disclosed to users,” LayerX warns.
Although the extensions share infrastructure, each is listed under a different anonymous publisher with no public-facing website and only generic webmail contact info:
βOutwardly, they all show different ownership… it is impossible to ascertain the identity of the people behind each of these extensions,β LayerX notes.
These traits are typical of malicious distribution networks, which deliberately split infrastructure to avoid detection and takedown.
Some of the currently flagged extensions include:
| Extension Name | ExtensionID | Users |
| Sound Booster | pmilcmjbofinpnbnpanpdadijibcgifc | 200,000 |
| Examine source code of Volume Max β Ultimate Sound Booster | mgbhdehiapbjamfgekfpebmhmnmcmemg | 1,000,000 |
| Volume Master: Master Your Sound | eoejmjkddfbhhnbmklhccnppogeaeeah | 3,000 |
| Volume Booster: Ultimate Sound Enhancer | dlcgileladmbfijjmnleehhoebpggpjl | 2,000 |
Despite red flagsβand some being flagged by VirusTotalβthese extensions remain live on the Chrome Web Store.
LayerX warns that these extensions could function as botnet alternatives, offering attackers:
- Persistent presence on endpoints
- Access to browsing data, cookies, and credentials
- Ability to turn malicious at any moment
βThis type of βsleeperβ extension network can serve as a substitute for traditional botnets… building up botnets on IoT devices is cumbersome. This is much simpler.β
Related Posts:
- Chrome Web Store Under Siege: 40+ Malicious Extensions Found Stealing Data
- Sound waves can Disrupt Functions of Hard Disk Drives
- Trojan Malware Infiltrates Browser Extensions, Impacts 300,000 Users
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
