The “Malicious11” campaign, discovered by cybersecurity researchers at Koi Security, represents one of the largest browser hijacking operations ever documented, exploiting the very trust signals users rely on to identify safe extensions. A sophisticated malware campaign has infected over 1.7 million Chrome users through eleven seemingly legitimate browser extensions, all of which carried Google’s verified badge and featured placement on the Chrome Web Store. Users should immediately remove any affected extensions, clear browser data to remove stored tracking identifiers, run full system malware scans, and monitor accounts for suspicious activity. For example, users clicking Zoom meeting invitations could be redirected to fake pages claiming they need to download “critical updates,” or banking sessions could be intercepted and redirected to pixel-perfect replicas hosted on attackers’ servers. The attackers successfully exploited every trust signal users rely on – verification badges, install counts, featured placement, years of legitimate operation, and positive reviews. This campaign represents a watershed moment in browser extension security, demonstrating how the current marketplace security model is fundamentally broken. The codebase of each extension remained clean, sometimes for years, before the malware was implemented through automatic updates that silently installed for over 1.7 million users. Google’s verification process failed to detect sophisticated malware across eleven different extensions, instead promoting several through verification badges and featured placement. The incident highlights the urgent need for improved marketplace security mechanisms as threat actors evolve beyond individual attacks to create a comprehensive infrastructure that can remain dormant for years before activation. The malicious extensions masqueraded as popular productivity and entertainment tools across diverse categories, including emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers. The malware implements a sophisticated browser hijacking mechanism that activates every time users navigate to a new page. Despite appearing completely legitimate and maintaining verified status, the extension was secretly hijacking users’ browsers, tracking every website visit, and maintaining a persistent command and control backdoor. “Due to how Google handles browser extension updates, these versions are auto-installed silently,” the researchers noted.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 08 Jul 2025 11:45:20 +0000