Silent Session Hijack: Malicious Chrome Extensions Undermining Enterprise HR and ERP Security

Aegiron 10 mins0

Executive summary

A targeted browser-based attack campaign leveraged malicious Google Chrome extensions to compromise authenticated sessions of users accessing enterprise HR and ERP platforms. The extensions masqueraded as legitimate productivity or access tools and were voluntarily installed by users. Once installed, they abused legitimate browser extension APIs to steal session cookies, maintain persistent command-and-control communications, interfere with security controls, and in advanced cases inject stolen sessions back into browsers to enable silent account takeover.

The attack did not rely on software vulnerabilities, exploits, or malware droppers. Instead, it exploited trust in browser extensions, weak enterprise browser governance, and overreliance on MFA without session integrity controls. Although the total number of infected systems was limited, the impact potential was severe due to the sensitivity of the targeted systems.

Threat model and attacker intent

The attacker’s primary objective was long-term, stealthy access to enterprise HR and ERP platforms using valid authenticated sessions. The focus on session cookies rather than credentials indicates an intent to:

  • Bypass MFA and conditional access
  • Avoid triggering authentication alerts
  • Maintain persistence even after password changes
  • Operate with the same privileges as legitimate users, including administrators

This was not opportunistic malware; it was a precision access operation.

Initial access and execution

Installation vector

The extensions were installed through:

  • User-driven installation via Chrome extension mechanisms
  • Social engineering (search results, internal sharing, productivity claims)
  • Professional-looking extension metadata and descriptions

No exploit was used. The browser itself remained fully patched. Execution began immediately after installation due to background service workers defined in the extension manifest.

Extension internal architecture

Each malicious extension followed a standard Chrome extension design:

  • manifest.json defining permissions and domain access
  • Background service worker for persistent execution
  • Content scripts injected into targeted domains
  • Network communication handlers

This architecture allowed the extension to run continuously, intercept browser state, and communicate externally without user interaction.

Permission abuse (key enabler)

The extensions requested combinations of:

  • cookies
  • storage
  • scripting
  • tabs
  • background
  • declarativeNetRequest
  • Broad host permissions covering enterprise domains

Once granted, these permissions allowed full visibility into authenticated browser sessions. Chrome does not alert users when extensions actively access cookies or transmit data externally.

Primary payload: session cookie harvesting

Targeted data

The extensions focused exclusively on authenticated session cookies, not credentials.

They targeted:

  • Session identifiers
  • Auth tokens
  • Persistent login cookies
  • Domain-scoped cookies for HR and ERP platforms

Cookie harvesting workflow

  1. Background process queries Chrome’s cookie store
  2. Cookies filtered by domain and name patterns
  3. Extracted attributes:
    • Name
    • Value
    • Domain
    • Path
    • Expiry
    • Secure / SameSite flags
  4. Data serialized into JSON structures
  5. Payload transmitted externally

This process repeated at fixed intervals (commonly ~60 seconds), ensuring the attacker continuously received fresh session data.

Command-and-control (C2) communication

Communication methods

The extensions established outbound channels using:

  • HTTPS POST requests
  • Persistent WebSocket connections

These channels supported:

  • Cookie exfiltration
  • Heartbeat beacons
  • Receipt of commands or session data

Exfiltrated data fields

Outbound payloads commonly contained:

  • Full cookie sets
  • Extension ID and version
  • Browser user agent
  • OS platform
  • Timestamp
  • Unique installation identifier

Traffic originated from legitimate endpoints and blended with normal browser activity.

Session replay and injection (advanced capability)

One extension variant supported bidirectional session handling:

  • It could receive session cookies from the attacker
  • Programmatically insert them into the browser cookie store

This allowed:

  • Immediate session impersonation
  • MFA bypass
  • Persistence without reauthentication
  • Use of stolen sessions across multiple environments

Because the platform saw only a valid session, no authentication alerts were triggered.

Active defense evasion and interference

Security page manipulation

Some extensions contained hardcoded URL lists corresponding to:

  • Password reset pages
  • MFA configuration pages
  • Admin dashboards
  • Audit and security logs

When users accessed these pages, the extension:

  • Removed or altered DOM elements
  • Redirected navigation
  • Displayed fake errors
  • Prevented form submissions

This blocked remediation while the attacker remained active.

Anti-analysis techniques

The extensions employed:

  • JavaScript obfuscation
  • Encoded strings for domains and paths
  • Detection of developer tools
  • Runtime logic to evade inspection

Because execution occurred entirely inside the browser:

  • No files were dropped
  • No registry or system changes occurred
  • Antivirus detection was minimal

Impact and risk assessment

Compromised sessions could provide access to:

  • Employee personal data
  • Payroll and banking details
  • Organizational role mappings
  • Administrative controls
  • Audit and compliance data

Potential consequences include:

  • Financial fraud
  • Data exfiltration
  • Privilege escalation
  • Lateral movement using trusted access
  • Follow-on attacks

Indicators of Compromise

Malicious Chrome extension IDs

  • oldhjammhkghhahhhdcifmmlefibciph
  • mbjjeombjeklkbndcjgmfcdhfbjngcam
  • makdmacamkifdldldlelollkkjnoiedg
  • ijapakghdgckgblfgjobhcfglebbkebf
  • bmodapcihjhklpogdpblefpepjolaoij

Extension behavior indicators

  • Extensions requesting cookies + scripting
  • Persistent background service workers
  • Extensions active even when no tabs are open

Network indicators

  • Browser-originated WebSocket connections
  • Repeated outbound HTTPS POSTs at fixed intervals
  • Requests containing serialized cookie data
  • Requests to paths resembling /api/v1/*

Authentication indicators

  • Sessions without corresponding login events
  • MFA not triggered for new sessions
  • Identical session tokens used from multiple IPs
  • Impossible travel without reauthentication

User-visible indicators

  • Admin or security pages failing to load
  • MFA or password settings inaccessible
  • Browser issues isolated to specific enterprise sites

Detection rules and logic

1. Browser / MDM policy detection

  • Alert on installation of non-allowlisted extensions
  • Block extensions requesting cookie access unless explicitly approved
  • Detect extensions running persistent background workers

2. Endpoint detection logic (EDR)

Rule logic (conceptual):

  • Detect Chrome processes initiating WebSocket connections
  • Flag Chrome extensions invoking cookie enumeration APIs
  • Alert on extensions accessing cookies for enterprise domains

3. Network detection rules

Proxy / firewall logic

  • Alert on repeated outbound HTTPS requests from user endpoints to unknown APIs
  • Detect periodic traffic with consistent timing intervals
  • Flag browser-originated WebSocket sessions lasting unusually long

4. Identity detection rules

Session anomaly detection

  • Alert on session creation without authentication logs
  • Detect reuse of identical session IDs
  • Alert on concurrent sessions from distant geolocations

5. Example SIEM rule

IF
  process = chrome*
  AND network_connection = websocket
  AND destination NOT IN approved_domains
THEN
  raise high_severity_alert

6. Example session integrity rule

IF
  session_created = true
  AND authentication_event = false
THEN
  investigate session hijacking

Incident response workflow

  1. Identify endpoints with malicious extensions
  2. Remove extensions using centralized policy
  3. Block outbound attacker infrastructure
  4. Invalidate all active sessions
  5. Reset credentials and MFA from clean devices
  6. Audit admin and financial activity
  7. Monitor for session reuse
  8. Enforce strict browser extension allowlists

Long-term defensive measures

  • Treat browser extensions as executable code
  • Enforce enterprise browser management
  • Monitor session lifecycle, not just authentication
  • Restrict cookie access permissions
  • Increase visibility into browser network behavior

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.