108 Chrome Extensions Steal OAuth Tokens and Telegram Sessions

Security researchers at Socket have exposed a coordinated campaign involving 108 malicious Chrome extensions that steal Google OAuth tokens, hijack Telegram sessions every 15 seconds, and inject gambling advertisements into YouTube and TikTok. The extensions collectively reached about 20,000 installs before researchers flagged them to Google.

The campaign represents a significant escalation in browser extension threats—all 108 extensions communicate with the same command-and-control infrastructure hosted on a Contabo VPS, suggesting a single operator running what appears to be a Russian malware-as-a-service operation.

How the Campaign Works

The extensions were published under five fake developer identities: Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt. Each publisher pushed extensions across multiple categories designed to appeal to different user groups—Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, text translation tools, and general utilities.

Socket's analysis revealed three distinct attack patterns across the extension cluster:

Google OAuth Token Theft — 54 extensions abuse Chrome's chrome.identity.getAuthToken API to harvest victims' email addresses, names, profile pictures, and Google account IDs alongside OAuth2 Bearer tokens. With these tokens, attackers can access Google services as the victim without needing their password.

Telegram Session Hijacking — Extensions targeting Telegram users extract session data from localStorage every 15 seconds, capturing active session tokens that grant full account access. This bypasses both passwords and multi-factor authentication entirely—a technique we've seen in similar extension campaigns targeting business accounts.

Universal Backdoor — 45 extensions contain a hidden function that executes on browser startup, fetching commands from the C2 server and opening arbitrary URLs. This transforms the browser into a persistent foothold for future attacks.

Ad Injection and Monetization

Beyond credential theft, 78 of the extensions inject attacker-controlled content directly into web pages using the innerHTML property. The primary monetization comes from stripping security headers (Content-Security-Policy, X-Frame-Options, CORS) from YouTube and TikTok pages and overlaying gambling advertisements.

This dual-purpose approach—stealing credentials while monetizing through ad injection—mirrors tactics from last month's Chrome extension campaign that targeted Meta Business and VK accounts.

Technical Infrastructure

All 108 extensions route stolen credentials and browsing data to the same backend at IP address 144.126.135[.]238, hosted on Contabo VPS infrastructure. The C2 network uses multiple subdomains for different functions:

• Session hijacking endpoint
• Identity collection
• Command execution
• Monetization operations

Code comments in Russian across multiple extensions suggest the operation originates from a Russian-speaking developer or group, though attribution remains uncertain.

Notable Extension Examples

Socket published several extension IDs for defenders to block:

• Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa)
• Web Client for Telegram - Teleside (mdcfennpfgkngnibjbpnpaafcjnhcjno)
• Formula Rush Racing Game (akebbllmckjphjiojeioooidhnddnplj)

At the time of BleepingComputer's reporting, the extensions remained available on the Chrome Web Store despite Socket notifying Google.

Why This Matters

Browser extension threats continue to outpace platform defenses. Chrome's Web Store review process clearly fails to catch coordinated campaigns that split malicious functionality across dozens of extensions under different publisher names.

For enterprise security teams, this campaign highlights several persistent blind spots. Extensions requesting identity permissions (chrome.identity) can silently harvest OAuth tokens without triggering traditional security alerts. Session hijacking attacks bypass MFA entirely. And ad-injection provides attackers with sustained monetization even if credential theft gets detected.

The 15-second polling interval for Telegram sessions is aggressive—attackers are prioritizing real-time access over stealth.

Recommended Mitigations

1. Audit installed extensions across managed browsers using enterprise tools
2. Block the C2 IP 144.126.135[.]238 at the network perimeter
3. Review extension permissions and remove any requesting identity or broad host access
4. Monitor OAuth token usage in Google Workspace for anomalous access patterns
5. Revoke Telegram sessions if any flagged extensions were installed

Organizations with heavy Telegram usage for business communications should treat any flagged extension installation as a full session compromise requiring password rotation and session revocation.

For general guidance on defending against these threats, see our browser extension security guide.