Five Malicious Chrome Extensions Impersonate HR and ERP Tools to Hijack Accounts

CyberDefender 10 mins0

In a concerning development for enterprise cybersecurity, researchers have uncovered a new campaign involving five malicious Google Chrome browser extensions that were designed to impersonate popular human resources (HR) and enterprise resource planning (ERP) platforms. These extensions have been observed targeting corporate users by stealing authentication tokens, manipulating browser behavior, and in some cases enabling complete account takeover. The discovery highlights the increasingly sophisticated tactics that threat actors are using to infiltrate business environments through tools that users often trust and install without hesitation.

The Threat Landscape

Browser extensions are small software modules that enhance web browser functionality. They add features ranging from productivity enhancements to security tools. However, because extensions operate within the browser environment, they can also access sensitive data—like session cookies, authentication tokens, and user interactions—if granted sufficient permissions. This makes them an attractive target for cybercriminals. According to the recent research, the five malicious extensions masqueraded as tools related to widely used platforms such as Workday, NetSuite, and SuccessFactors—applications that many organizations depend on for HR and ERP operations.

What made this campaign especially dangerous was the combination of social engineering and technical exploitation: the extensions were marketed as productivity shortcuts, yet they contained hidden mechanisms for data theft and session manipulation. Once installed, they could exfiltrate critical authentication cookies and disrupt normal enterprise security operations.

The Malicious Extensions

The researchers detailed the names and behaviors of the five extensions, which were distributed under deceptive branding and functionality:

  • DataByCloud Access – A supposed tool for cloud access that recorded approx. 251 installs.
  • Tool Access 11 – Claimed to be a productivity extension with around 101 installs.
  • DataByCloud 1 – With about 1,000 installs, this extension replicated key malicious features.
  • DataByCloud 2 – Also around 1,000 installs, with extended targeting capabilities.
  • Software Access – A smaller install base (27 installs) but arguably the most sophisticated.

All except Software Access were already removed from the Chrome Web Store at the time of reporting, though they continued to be available through third-party download sites such as Softonic—a common tactic used by attackers to keep malicious software in circulation even after being blacklisted by official channels.

Stealthy and Persistent Techniques

The malicious extensions employed a blend of stealth and persistence techniques to evade detection and maximize impact:

  • Cookie Theft and Exfiltration: Several of the extensions were programmed to harvest authentication cookies from targeted domains and transmit them back to attacker-controlled servers. These cookies allow attackers to assume the identity of legitimate users without needing their passwords—a tactic known as session hijacking.
  • DOM Manipulation: Some extensions manipulated the Document Object Model (DOM) of browser pages to block access to administrative settings. For instance, when users attempted to access security or user-management pages of platforms like Workday or NetSuite, the extensions either erased page content or redirected users to nonsensical URLs.
  • Inspection Protection: One of the extensions incorporated techniques to disable browser developer tools, making it substantially harder for security personnel or savvy users to inspect the code executing within the browser.
  • Cookie Injection: The most advanced extension, Software Access, could receive stolen session tokens from a remote server, clear existing cookies in a victim’s browser, and replace them with tokens controlled by attackers. This essentially grants the attacker full access to the victim’s authenticated sessions.

These sophisticated techniques extended the threat far beyond standard spyware functionality, turning what appeared to be innocuous browser enhancements into fully functional account compromise tools.

Why Enterprises and Users Are at Risk

The attack vector exploited in this campaign reveals several broader issues in modern cybersecurity:

Trust in Browser Extensions

Many users and even IT teams tend to trust browser extensions published in official stores like the Chrome Web Store. However, attackers have repeatedly demonstrated that malicious actors can infiltrate these marketplaces, either by uploading malicious extensions directly or by purchasing legitimate ones and pushing malicious updates. This problem mirrors broader trends where trusted supply chains become conduits for malware delivery.

Security Tool Blind Spots

Even when a security team suspects malicious activity, browser extensions can be difficult to analyze—especially when they actively obstruct inspection or hide their true behavior behind obfuscated code. Some malware campaigns observed in recent months have weaponized extensions installed by millions of users over years, only revealing malicious behavior later.

Enterprise Complexity

Modern enterprises rely on a complex array of SaaS tools, third-party integrations, and remote access mechanisms. A compromised session in a single tool like Workday or NetSuite can have cascading consequences across multiple services. If malicious extensions can hijack sessions or prevent password resets and other normal incident response actions, the ability to remediate breaches becomes severely impaired.

Mitigation and Response

In light of these threats, organizations and individual users alike need to adopt more stringent browser security hygiene:

  • Audit Installed Extensions: Regularly review the list of installed browser extensions across your organization. Remove any that are unnecessary or published by unknown developers.
  • Restrict Extensions in Enterprise Environments: Many enterprise browsers allow administrators to whitelist approved extensions and block all others. This minimizes the risk of rogue extensions being installed by end users.
  • Monitor for Anomalous Behavior: Look for signs of session anomalies, such as logins from unexpected locations or devices, and tie them back to extension usage if possible.
  • User Education: Train employees about the risks associated with browser extensions and encourage them to install only those that are vetted by the security team.

Finally, users who have already installed suspicious extensions should remove them immediately, reset their passwords for affected services, and monitor for signs of unauthorized access.

Conclusion

The discovery of these five malicious Chrome extensions is a stark reminder that even seemingly minor software components can pose a major threat when weaponized by attackers. As browser extensions continue to be widely used in both personal and professional settings, their security posture needs to be taken seriously by developers, platform providers, and end users alike.

The trend of hiding sophisticated credential theft and session hijacking capabilities inside browser add-ons underscores a broader shift in attacker methods: rather than relying on flashy zero-day exploits, many attackers are opting for subtle, persistent tricks that exploit everyday user behavior and trust. Staying ahead of such threats will require a combination of robust technical defenses, vigilant monitoring, and ongoing user awareness efforts.

CyberDefender