Cybersecurity Alert: Malicious Chrome Extensions Targeting Meta Business Suite and Facebook Users

In a disturbing trend that highlights the growing sophistication of cybercriminals, security researchers have uncovered multiple malicious Google Chrome extensions designed to steal sensitive data from Meta Business Suite and Facebook Business Manager users. These seemingly legitimate tools are being weaponized to conduct large-scale data exfiltration operations without users’ knowledge or consent.

CL Suite: The Meta Business Suite Trojan Horse

Cybersecurity researchers have discovered a particularly insidious Chrome extension called CL Suite by @CLMasters (ID: jkphinfhmfkckkcnifhjiplhfoiefffl) that has been masquerading as a legitimate tool for Meta Business Suite users. Marketed as a way to scrape Meta Business Suite data, remove verification pop-ups, and generate two-factor authentication (2FA) codes, this extension has already amassed 33 users since its upload to the Chrome Web Store on March 1, 2025.

However, beneath its legitimate facade lies a sophisticated data theft operation. According to security researcher Kirill Boychenko from Socket, the extension secretly transmits critical security information to infrastructure controlled by threat actors. “The extension requests broad access to meta.com and facebook.com and claims in its privacy policy that 2FA secrets and Business Manager data remain local,” Boychenko explained. “In practice, the code transmits TOTP seeds and current one-time security codes, Meta Business ‘People’ CSV exports, and Business Manager analytics data to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor.”

The full scope of CL Suite’s malicious capabilities is particularly alarming:

• Stealing TOTP seeds and 2FA codes: The extension extracts the unique alphanumeric codes used to generate time-based one-time passwords
• Harvesting Business Manager contacts: It automatically navigates to facebook[.]com and meta[.]com to build comprehensive CSV files containing names, email addresses, roles, permissions, and access details
• Enumerating Business Manager entities: The malware creates detailed CSV files of Business Manager IDs, names, attached ad accounts, connected pages, assets, and billing configurations

Despite the relatively low number of installations, Socket warns that the extension provides attackers with enough information to identify high-value targets and mount sophisticated follow-on attacks. The researchers emphasize that while the extension doesn’t directly steal password information, attackers could obtain such credentials through other means and then use the stolen 2FA codes to gain unauthorized account access.

VK Styles: The 500,000-User Russian Social Media Heist

In an even more massive operation, security firm Koi Security has uncovered VK Styles, a coordinated campaign that has silently hijacked approximately 500,000 VKontakte (VK) accounts through malicious Chrome extensions. Codenamed VK Styles, this operation represents one of the largest browser-based social media account takeovers in recent history.

The malware embedded in these extensions engages in active account manipulation through several sophisticated techniques:

• Automatic subscription to attacker-controlled groups: Users are silently enrolled in the attacker’s VK groups without their knowledge
• Persistent account control: The malware resets account settings every 30 days to override user preferences and maintain control
• CSRF token manipulation: The extensions bypass VK’s security protections by manipulating Cross-Site Request Forgery tokens
• Long-term persistence: The malware maintains continuous control over compromised accounts

The campaign has been traced to a threat actor operating under the GitHub username 2vk, who has cleverly used VK’s own social network to distribute malicious payloads. The attacker built a follower base through forced subscriptions, creating a self-reinforcing distribution mechanism.

The malicious extensions involved in this campaign include:

• VK Styles – Themes for vk.com (ID: ceibjdigmfbbgcpkkdpmjokkokklodmc)
• VK Music – audio saver (ID: mflibpdjoodmoppignjhciadahapkoch)
• Music Downloader – VKsaver (ID: lgakkahjfibfgmacigibnhcgepajgfdb)
• vksaver – music saver vk (ID: bndkfmmbidllaiccmpnbdonijmicaafn)
• VKfeed – Download Music and Video from VK (ID: pcdgkgbadeggbnodegejccjffnoakcoh)

One of the most sophisticated aspects of this campaign is its use of dead drop resolvers. The malware uses a VK profile’s HTML metadata tags (“vk[.]com/m0nda”) to conceal next-stage payload URLs, effectively evading detection by security systems. The next-stage payload is hosted in a public repository named “-” associated with 2vk, containing obfuscated JavaScript injected into every VK page the victim visits.

Security researcher Ariel Cohen noted that this isn’t amateur malware: “Each commit shows deliberate refinement. This isn’t sloppy malware – it’s a maintained software project with version control, testing, and iterative improvements.” The campaign has primarily affected Russian-speaking users, VK’s main demographic, as well as users across Eastern Europe, Central Asia, and Russian diaspora communities globally.

AiFrame: The 260,000-User AI Assistant Scam

Adding to the growing list of malicious browser extensions, researchers have uncovered AiFrame, a coordinated campaign involving 32 browser add-ons advertised as artificial intelligence assistants for summarization, chat, writing, and Gmail assistance. These extensions have been collectively installed by more than 260,000 users, representing a significant security threat to a large user base.

According to Natalie Zargarov from LayerX, these tools hide a dangerous architecture: “Instead of implementing core functionality locally, they embed remote, server-controlled interfaces inside extension-controlled surfaces and act as privileged proxies, granting remote infrastructure access to sensitive browser capabilities.”

The malicious extensions include:

• AI Assistant (ID: nlhpidbjmmffhoogcennoiopekbiglbp)
• Llama (ID: gcfianbpjcfkafpiadmheejkokcmdkjl)
• Gemini AI Sidebar (ID: fppbiomdkfbhgjjdmojlogeceejinadg)
• AI Sidebar (ID: djhjckkfgancelbmgcamjimgphaphjdl)
• ChatGPT Sidebar (ID: llojfncgbabajmdglnkbhmiebiinohek)
• And 27 other similarly named extensions

Once installed, these extensions render full-screen iframe overlays pointing to remote domains (such as claude.tapnetic[.]pro), allowing attackers to remotely introduce new capabilities without requiring Chrome Web Store updates. When instructed by the iframe, the add-ons query active browser tabs and invoke content scripts to extract readable article content using Mozilla’s Readability library.

The malware also supports speech recognition capabilities, exfiltrating resulting transcripts to remote pages. More concerningly, a subset of these extensions specifically targets Gmail by reading visible email content directly from the Document Object Model (DOM) when victims visit mail.google[.]com. “When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third-party backend infrastructure controlled by the extension operator,” LayerX explained. “As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers.”

The 287-Extension Browsing History Exfiltration Operation

In perhaps the most extensive discovery, Q Continuum researchers uncovered a massive collection of 287 Chrome extensions that exfiltrate browsing history to data brokers. These extensions have accumulated an astonishing 37.4 million installations, representing roughly 1% of the global Chrome userbase.

“This isn’t just about individual privacy violations,” the researchers noted. “It was shown in the past that Chrome extensions are used to exfiltrate user browser history that is then collected by data brokers such as Similarweb and Alexa.” The scale of this operation demonstrates how browser extensions have become a preferred vector for large-scale data collection operations.

The Growing Threat Landscape

These discoveries paint a troubling picture of the current cybersecurity landscape. Browser extensions, once considered relatively safe tools for enhancing web browsing, have become prime targets for cybercriminals seeking to harvest sensitive data at scale. The sophistication of these attacks – from the use of dead drop resolvers and remote-controlled iframes to the maintenance of malware repositories with version control – indicates that we’re dealing with organized, well-funded criminal operations rather than opportunistic hackers.

The methods employed by these threat actors are particularly concerning because they exploit the very features that make browser extensions useful. The ability to interact with web pages, access user data, and modify browser behavior – all legitimate functions – are being weaponized for malicious purposes. Moreover, the use of legitimate-seeming names and descriptions, combined with the Chrome Web Store’s review processes, allows these malicious extensions to achieve significant installation numbers before being detected.

Protection and Prevention

Given the severity and sophistication of these threats, users and organizations must take immediate action to protect themselves. Security experts recommend several key strategies:

Adopt a minimalist approach: Only install necessary, well-reviewed tools from official stores. Each additional extension increases your attack surface.

Regular audits: Periodically review installed extensions for any signs of malicious behavior or excessive permission requests. Remove any extensions you no longer use or trust.

Use separate browser profiles: Create different browser profiles for sensitive tasks versus general browsing to limit the potential impact of compromised extensions.

Implement extension allowlisting: Organizations should consider implementing extension allowlisting policies to block non-compliant or potentially malicious extensions.

Monitor for unusual behavior: Be alert to unexpected changes in browser behavior, such as new toolbars, changed homepages, or unusual pop-ups.

Keep browsers updated: Ensure your browser and all extensions are running the latest versions with security patches applied.

The Future of Browser Security

As these incidents demonstrate, the traditional security model for browser extensions is failing. The current review processes at official stores like the Chrome Web Store are clearly insufficient to catch sophisticated malware that can hide its true intentions behind legitimate functionality. The use of remote-controlled interfaces, dead drop resolvers, and version-controlled malware repositories shows that attackers are staying several steps ahead of traditional security measures.

Moving forward, we need a fundamental rethinking of how browser extensions are developed, reviewed, and monitored. This might include more rigorous code analysis during the review process, continuous monitoring of extension behavior after publication, and better tools for users to understand what permissions they’re granting and how those permissions are being used.

The scale and sophistication of these attacks also suggest that browser vendors, security researchers, and law enforcement agencies need to collaborate more closely to track down the criminal organizations behind these operations. The fact that some of these campaigns have been active for months or even years before detection indicates that current coordination mechanisms are insufficient.

Conclusion

The discovery of these malicious Chrome extensions represents a watershed moment in browser security. We’re witnessing the evolution of browser-based attacks from simple adware and click fraud to sophisticated, organized operations targeting high-value data and maintaining long-term control over compromised accounts. The combination of social engineering (through legitimate-seeming names and descriptions), technical sophistication (remote-controlled interfaces and dead drop resolvers), and scale (hundreds of thousands to millions of installations) makes these threats particularly dangerous.

As users, we must become more vigilant about the extensions we install and more aware of the permissions we grant. As an industry, we need to develop better security models for browser extensions that can keep pace with the increasingly sophisticated threats we face. The stakes are too high to continue with business as usual – our personal data, business information, and online identities are all at risk.

The question is no longer whether you’ll encounter a malicious browser extension, but when – and whether you’ll be prepared to recognize and respond to the threat before it’s too late.

Tags: #ChromeExtensions #Malware #Cybersecurity #DataBreach #MetaBusinessSuite #FacebookBusinessManager #VKontakte #AIAssistant #BrowserSecurity #CyberCrime #DataTheft #2FA #TOTP #Phishing #SocialEngineering #InformationSecurity #DigitalPrivacy #OnlineSafety #ThreatIntelligence #SecurityResearch

Viral Sentences:

• “Your browser extensions might be spying on you right now”
• “500,000 VK accounts hijacked through fake customization tools”
• “AI assistants that steal your Gmail emails and browsing history”
• “The Chrome extension you just installed could be a Trojan horse”
• “Cybercriminals are using legitimate-looking tools to steal your business data”
• “Your two-factor authentication codes aren’t safe from these malicious extensions”
• “The browser you trust might be the weakest link in your security”
• “Organized crime is targeting your browser extensions for mass data collection”
• “Your online privacy is being sold to data brokers through innocent-looking tools”
• “The next big data breach might start with a browser extension you installed yesterday”

,