Data-stealing Chrome extensions impersonate Fortinet, YouTube, VPNs

A Google Chrome Web Store campaign uses over 100 malicious browser extensions that mimic legitimate tools, such as VPNs, AI assistants, and crypto utilities, to steal browser cookies and execute remote scripts secretly. The extensions offer some of the promised functionality, but also connect to the threat actor's infrastructure to steal user information or receive commands to execute. Additionally, the malicious Chrome extensions can modify network traffic to deliver ads, perform redirections, or proxying. The campaign was discovered by security researchers at DomainTools, who spotted over 100 fake domains promoting the tools to unsuspecting users, likely through malvertising. DomainTools' list of over 100 malicious websites includes multiple fake VPN brands as well as attempts to impersonate legitimate brands, such as Fortinet, YouTube, DeepSeek AI, and Calendly: earthvpn[.]top irontunnel[.]world and iron-tunnel[.]com raccoon-vpn[.]world orchid-vpn[.]com soul-vpn[.]com forti ... Read full article.