Ddos 
Browser security firm LayerX has identified a covert network of malicious Chrome extensions acting as “sleeper agents”—seemingly benign tools that could be activated for malicious purposes at any time. Installed on nearly 1.5 million devices worldwide, these extensions mask themselves as audio enhancers while concealing sophisticated code capable of exfiltration, surveillance, or malware deployment.
While these extensions claim to help users manage in-browser sound, LayerX’s reverse engineering reveals a different reality:
- Common code base linked to known malicious extensions like ReadBee
- Remote command execution enabled via external configuration files
- Encrypted and obfuscated communications with malicious domains
- Silent background tab execution to access URLs and run commands
“The extensions communicate with external URLs, including known malicious domains… and use encryption and base64 code obfuscation to encrypt external communications,” LayerX states.
One of the more capabilities uncovered was the ability to load remote configurations and open arbitrary tabs, all without user interaction. This was seen previously in ReadBee, a Chrome extension that silently tracked users and performed redirections for affiliate fraud.
A key component of that infrastructure, called ExtStatTracker, demonstrates how these extensions silently coordinate through chrome.storage, allowing updates and commands to be dynamically injected post-installation:
“This telemetry logic is embedded in the background script and is not disclosed to users,” LayerX warns.
Although the extensions share infrastructure, each is listed under a different anonymous publisher with no public-facing website and only generic webmail contact info:
“Outwardly, they all show different ownership… it is impossible to ascertain the identity of the people behind each of these extensions,” LayerX notes.
These traits are typical of malicious distribution networks, which deliberately split infrastructure to avoid detection and takedown.
Some of the currently flagged extensions include:
| Extension Name | ExtensionID | Users |
| Sound Booster | pmilcmjbofinpnbnpanpdadijibcgifc | 200,000 |
| Examine source code of Volume Max – Ultimate Sound Booster | mgbhdehiapbjamfgekfpebmhmnmcmemg | 1,000,000 |
| Volume Master: Master Your Sound | eoejmjkddfbhhnbmklhccnppogeaeeah | 3,000 |
| Volume Booster: Ultimate Sound Enhancer | dlcgileladmbfijjmnleehhoebpggpjl | 2,000 |
Despite red flags—and some being flagged by VirusTotal—these extensions remain live on the Chrome Web Store.
LayerX warns that these extensions could function as botnet alternatives, offering attackers:
- Persistent presence on endpoints
- Access to browsing data, cookies, and credentials
- Ability to turn malicious at any moment
“This type of ‘sleeper’ extension network can serve as a substitute for traditional botnets… building up botnets on IoT devices is cumbersome. This is much simpler.”
Donate