To begin with, cybersecurity researchers have discovered a malicious Google Chrome extension designed to steal data associated with Meta Business Suite and Facebook Business Manager.
Specifically, the extension, named CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), markets itself as a tool to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes. At the time of writing, 33 users have installed the extension. The developer first uploaded it to the Chrome Web Store on March 1, 2025.
However, Socket reports that the browser add-on also exfiltrates TOTP codes for Facebook and Meta Business accounts, Business Manager contact lists, and analytics data to infrastructure the threat actor controls.
“The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local,” security researcher Kirill Boychenko said.
“In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business ‘People’ CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.”
By deliberately targeting users of Meta Business Suite and Facebook Business Manager, the threat actor leverages the extension to collect and exfiltrate data without users’ knowledge or consent.
Although the extension does not include capabilities to steal password-related information, an attacker could obtain such credentials beforehand from infostealer logs or credential dumps and then use the stolen codes to gain unauthorized access to victims’ accounts.
Full Scope of the Malicious Add-On’s Capabilities
The malicious add-on carries out the following actions –
- Steal TOTP seed (a unique, alphanumeric code that’s used to generate time-based one-time passwords) and 2FA code
- Target Business Manager “People” view by navigating to facebook[.]com and meta[.]com and build a CSV file with names, email addresses, roles and permissions, and their status and access details.
- Enumerate Business Manager-level entities and their linked assets and build a CSV file of Business Manager IDs and names, attached ad accounts, connected pages and assets, and billing and payment configuration details.
Despite the low number of installs, Socket warns that the extension gives the threat actor enough intelligence to identify high-value targets and launch follow-on attacks.
“CL Suite by @CLMasters shows how a narrow browser extension can repackage data scraping as a ‘tool’ for Meta Business Suite and Facebook Business Manager,” Boychenko said.
“Its people extraction, Business Manager analytics, popup suppression, and in-browser 2FA generation are not neutral productivity features, they are purpose-built scrapers for high-value Meta surfaces that collect contact lists, access metadata, and 2FA material straight from authenticated pages.”
VK Styles Campaign Hijacks 500,000 Accounts
Meanwhile, the disclosure comes as Koi Security uncovered a large-scale campaign that silently hijacked about 500,000 users of VKontakte through malicious Chrome extensions disguised as VK customization tools. Researchers have codenamed the campaign VK Styles.
The malware embedded in these extensions actively manipulates accounts by automatically subscribing users to the attacker’s VK groups, resetting account settings every 30 days to override user preferences, manipulating Cross-Site Request Forgery (CSRF) tokens to bypass VK’s protections, and maintaining persistent control.
Investigators traced the activity to a threat actor operating under the GitHub username 2vk. The actor relies on VK’s own social network to distribute malicious payloads and build a follower base through forced subscriptions. The malicious extensions include –
- VK Styles – Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
- VK Music – audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
- Music Downloader – VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
- vksaver – music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
- VKfeed – Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)
Notably, the campaign uses a VK profile’s (“vk[.]com/m0nda”) HTML metadata tags as a dead drop Resolver to conceal Next-stage payload URLs and evade Detection. The operator hosts the Next-stage payload in a public Repository named “-” associated with 2vk. The payload contains Obfuscated JavaScript that injects itself into every VK page a victim visits.
As of writing, the Repository remains accessible, and the file “C” has received 17 commits between June 2025 and January 2026 as the operator refined and Expanded its Functionality.
“Each commit shows deliberate refinement,” security researcher Ariel Cohen said. “This isn’t sloppy malware – it’s a maintained software project with version control, testing, and iterative improvements.”
VK Styles primarily affects Russian-speaking users, VK’s core demographic, along with users across Eastern Europe, Central Asia, and Russian Diaspora communities worldwide. Researchers assess that the campaign has remained active since at least June 22, 2025, when the operator pushed the initial payload version to the Repository.
AiFrame Campaign Abuses AI-Themed Extensions
At the same time, researchers Uncovered another Coordinated campaign dubbed AiFrame. In this operation, Attackers use a cluster of 32 browser add-ons Promoted as artificial intelligence (AI) assistants for Summarization, chat, writing, and Gmail assistance to siphon sensitive data. Collectively, more than 260,000 users have Installed these extensions.
“While these tools appear legitimate on the surface, they hide a dangerous architecture: instead of implementing core functionality locally, they embed remote, server-controlled interfaces inside extension-controlled surfaces and act as privileged proxies, granting remote infrastructure access to sensitive browser capabilities,” LayerX researcher Natalie Zargarov said.
The malicious extensions include –
- AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
- Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl)
- Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
- AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl)
- ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek)
- AI Sidebar (ID: gghdfkafnhfpaooiolhncejnlgglhkhe)
- Grok (ID: cgmmcoandmabammnhfnjcakdeejbfimn)
- Asking Chat Gpt (ID: phiphcloddhmndjbdedgfbglhpkjcffh)
- ChatGBT (ID: pgfibniplgcnccdnkhblpmmlfodijppg)
- Chat Bot GPT (ID: nkgbfengofophpmonladgaldioelckbe)
- Grok Chatbot (ID: gcdfailafdfjbailcdcbjmeginhncjkb)
- Chat With Gemini (ID: ebmmjmakencgmgoijdfnbailknaaiffh)
- XAI (ID: baonbjckakcpgliaafcodddkoednpjgf)
- Google Gemini (ID: fdlagfnfaheppaigholhoojabfaapnhb)
- Ask Gemini (ID: gnaekhndaddbimfllbgmecjijbbfpabc)
- AI Letter Generator (ID: hgnjolbjpjmhepcbjgeeallnamkjnfgi)
- AI Message Generator (ID: lodlcpnbppgipaimgbjgniokjcnpiiad)
- AI Translator (ID: cmpmhhjahlioglkleiofbjodhhiejhei)
- AI For Translation (ID: bilfflcophfehljhpnklmcelkoiffapb)
- AI Cover Letter Generator (ID: cicjlpmjmimeoempffghfglndokjihhn)
- AI Image Generator Chat GPT (ID: ckneindgfbjnbbiggcmnjeofelhflhaj)
- Ai Wallpaper Generator (ID: dbclhjpifdfkofnmjfpheiondafpkoed)
- Ai Picture Generator (ID: ecikmpoikkcelnakpgaeplcjoickgacj)
- DeepSeek Download (ID: kepibgehhljlecgaeihhnmibnmikbnga)
- AI Email Writer (ID: ckicoadchmmndbakbokhapncehanaeni)
- Email Generator AI (ID: fnjinbdmidgjkpmlihcginjipjaoapol)
- DeepSeek Chat (ID: gohgeedemmaohocbaccllpkabadoogpl)
- ChatGPT Picture Generator (ID: flnecpdpbhdblkpnegekobahlijbmfok)
- ChatGPT Translate (ID: acaeafediijmccnjlokgcdiojiljfpbe)
- AI GPT (ID: kblengdlefjpjkekanpoidgoghdngdgl)
- ChatGPT Translation (ID: idhknpoceajhnjokpnbicildeoligdgh)
- Chat GPT for Gmail (ID: fpmkabpaklbhbhegegapfkenkmpipick)
Once Installed, these extensions render a Full-screen iframe overlay that points to a remote domain (“claude.tapnetic[.]pro”), which allows Attackers to introduce new capabilities Remotely without Requiring a Chrome Web Store update. When the iframe issues instructions, the add-ons query the active browser tab and invoke a content script to extract Readable article content using Mozilla’s Readability library.
In addition, the malware can start speech recognition and Exfiltrate the resulting Transcript to the remote page. Furthermore, a subset of the extensions specifically targets Gmail by reading visible email content directly from the document object model (DOM) when a victim visits mail.google[.]com.
“When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third-party backend infrastructure controlled by the extension operator,” LayerX said. “As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers.”
Growing Abuse of Browser Extensions
Taken together, these developments demonstrate how threat actors increasingly abuse web browser extensions to harvest and Exfiltrate sensitive data while presenting them as legitimate tools and utilities.
In a related report, Q Continuum recently identified 287 Chrome extensions that Exfiltrate Browsing history to data brokers. Collectively, users have Installed these extensions 37.4 million times, which represents roughly 1% of the global Chrome user base.
“It was shown in the past that Chrome extensions are used to exfiltrate user browser history that is then collected by data brokers such as Similarweb and Alexa,” the researcher said.
Given these risks, users should adopt a Minimalist approach and install only necessary, Well-reviewed tools from official stores. Additionally, users should Periodically audit Installed extensions for Malicious behavior or excessive permission requests.
Organizations and individuals can further strengthen security by using separate browser profiles for sensitive tasks and Implementing extension Allowlisting to block Malicious or Non-compliant add-ons.
Source: TheHackerNews
Read more at Impreza News
