Security Arsenal is tracking an active social engineering campaign currently targeting Windows users. Attackers are deceiving victims into installing a malicious Google Chrome extension. Once installed, this extension actively steals session cookies, allowing threat actors to bypass multi-factor authentication (MFA) and seize control of user accounts. This is not a theoretical vulnerability; it is an active exploitation chain relying on the abuse of legitimate browser extensibility features.
For SOC analysts and incident responders, the urgency is high: standard MFA controls are ineffective against session token theft. If a user is tricked into installing this extension, their active web sessions—email, banking, SaaS platforms—are immediately compromised.
Technical Analysis
- Vector: Social Engineering (likely phishing pages or malicious advertisements prompting a "fake" update or utility install).
- Platform: Windows workstations running Google Chrome.
- Mechanism: The campaign installs a malicious browser extension (
.crx). Rather than exploiting a zero-day in the Chrome renderer, the abuse occurs within the extension's permissions. The malicious code utilizes browser APIs or direct filesystem access to read theCookiesSQLite database or intercept network traffic to extract authentication session tokens. - Impact: Full Account Takeover (ATO). By exfiltrating the session cookie, the attacker gains authenticated access without needing credentials or 2FA codes.
- Exploitation Status: Active exploitation confirmed in the wild via user installation.
CVE Identifier
This specific campaign involves the abuse of browser features rather than a specific software vulnerability (CVE). The "vulnerability" here is the human element (social engineering) combined with the broad permissions requested by the extension. Therefore, there is no CVE to patch for this specific threat activity. Defense relies on detection of the installation behavior and the subsequent access to credential artifacts.
Detection & Response
The following detection logic focuses on identifying suspicious access to Chrome's sensitive cookie files and the persistence mechanisms often used to force-install extensions.
SIGMA Rules
---
title: Chrome Cookie Database Access by Non-Chrome Process
id: a1b2c3d4-5e6f-4a3b-8c7d-9e0f1a2b3c4d
status: experimental
description: Detects processes other than chrome.exe accessing the Chrome 'Cookies' file, a common behavior of info-stealers and malicious extensions accessing the filesystem.
references:
- https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2026/06/23
tags:
- attack.credential_access
- attack.t1005
logsource:
category: file_access
product: windows
detection:
selection:
TargetFilename|contains: '\Google\Chrome\User Data\Default\Cookies'
filter_main_browser:
Image|endswith:
- '\chrome.exe'
- '\chrome_proxy.exe'
condition: selection and not filter_main_browser
falsepositives:
- Antivirus scans
- Backup utilities
- Forensic tools
level: high
---
title: Chrome Extension Policy Force Installed
id: b2c3d4e5-6f7a-5b4c-9d8e-0f1a2b3c4d5e
status: experimental
description: Detects modifications to the Windows Registry to force-install a Chrome extension, a common persistence method for malware.
references:
- https://attack.mitre.org/techniques/T1542/001/
author: Security Arsenal
date: 2026/06/23
tags:
- attack.persistence
- attack.t1542.001
logsource:
category: registry_set
product: windows
detection:
selection:
TargetObject|contains: '\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
condition: selection
falsepositives:
- Legitimate IT administration tools
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for processes accessing Chrome Cookies other than Chrome itself
DeviceFileEvents
| where FolderPath endswith @"\Google\Chrome\User Data\Default\Cookies"
| where InitiatingProcessFileName !in ("chrome.exe", "chrome_proxy.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, ActionType, FolderPath
| order by Timestamp desc
Velociraptor VQL
-- Hunt for recently modified Manifest files in Chrome Extensions
-- Malicious campaigns often drop new extensions or update existing ones
SELECT FullPath, Mtime, Size,
read_file(filename= FullPath + "\manifest.") AS ManifestContent
FROM glob(globs="*/Local/Google/Chrome/User Data/Default/Extensions/*/manifest.")
WHERE Mtime > now() - 7D
-- Optional: Look for specific keywords in manifest if known threat intel exists
-- AND ManifestContent =~ "permissions.*tabs"
Remediation Script (PowerShell)
# Audit Chrome for Force-Installed Extensions via Registry
$regPaths = @(
"HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist",
"HKCU:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
)
foreach ($path in $regPaths) {
if (Test-Path $path) {
Write-Host "[WARNING] Force Install Policy found at: $path" -ForegroundColor Yellow
Get-Item -Path $path | Get-ItemProperty | Format-List
} else {
Write-Host "[INFO] No policy found at: $path" -ForegroundColor Green
}
}
# List Extensions modified in the last 24 hours
$extensionPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
if (Test-Path $extensionPath) {
Write-Host "\nChecking for extensions modified in the last 24 hours..."
Get-ChildItem -Path $extensionPath -Recurse -File -Filter "manifest." |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddHours(-24) } |
Select-Object FullName, LastWriteTime, Length
} else {
Write-Host "Chrome extension path not found."
}
Remediation
- Immediate Containment: Instruct the affected user to disconnect the device from the network (Wi-Fi/Ethernet) to prevent further exfiltration of session tokens.
- Remove the Extension:
- Open Google Chrome.
- Navigate to
chrome://extensions/. - Identify any extension that the user does not recognize or did not intentionally install.
- Click Remove.
- Kill Sessions: Since session cookies were likely stolen, the user must log out of all critical web applications (Email, CRM, Banking) from a trusted device. Most services offer a "Sign out of all sessions" or "Manage active sessions" feature in settings.
- Credential Reset: Force a password reset for the compromised accounts to invalidate the session tokens.
- System Scan: Perform a full scan with an updated Endpoint Detection and Response (EDR) or antivirus solution to ensure no secondary payloads (e.g., information stealers like RedLine or Vidar) were dropped alongside the extension.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.