Recent research reveals two distinct but similar malicious Chrome browser extension campaigns that demonstrate how threat actors are increasingly abusing trusted browser extension ecosystems to gain initial access, steal sessions, and compromise enterprise environments.
What’s Notable and Unique
- In mid-January 2026, cybersecurity researchers uncovered a coordinated cluster of five malicious Chrome extensions masquerading as enterprise productivity or access management tools for popular Human Resource and Enterprise Resource Planning platforms such as Workday, NetSuite, and SAP SuccessFactors.
- Although published under different names, the extensions shared identical infrastructure, code patterns, and attack logic, indicating a single, well-organized operation. These extensions enabled session hijacking and full account takeover by abusing browser-level access.
- In January, researchers also documented a separate campaign, dubbed “CrashFix,” which uses a different but equally effective browser extension-based attack vector. In this case, a malicious Chrome extension named NexShield impersonated the legitimate uBlock Origin Lite ad blocker and was distributed through malicious ads that redirected users to the official Chrome Web Store where they would be prompted to download the malicious version.
- The technique mentioned above is yet another evolution of the ClickFix style social engineering that emerged in 2025, in which users are tricked into executing malicious commands themselves. In CrashFix attacks, following the instructions led to the execution of PowerShell commands that downloaded and installed ModeloRAT, a previously undocumented Python based remote access trojan.
Analyst Comments
Browser extensions are being weaponized as highly trusted initial access vectors, with attackers blending technical abuse (cookie theft, resource exhaustion) with social engineering (productivity branding, fake repair prompts). Together, these two recent findings demonstrate that malicious Chrome extensions pose a risk as a primary entry point for enterprise compromise, making browser extension governance, monitoring, and user education a critical defensive priority. Organizations should monitor for hidden PowerShell processes that are accessing browser cache folders and limit the use of PowerShell to privileged administrators. Organizations should also continue to promote and update their security awareness training, educating employees on newer social engineering techniques such as ClickFix.
Sources
Related Resources
![]()
LockBit 5.0: The RaaS That Refuses to Go Away
LockBit 5.0 ransomware marks the group’s attempted resurgence, introducing updated Windows and Linux variants, enhanced anti-analysis features, and a newly launched data leak site with over 100 alleged victims.
Read more![]()
Ransomware Trends & Data Insights: December 2025
Get the latest ransomware trends and data insights from December 2025.
Read more![]()
An Apple A (Zero) Day
Apple released patches for two WebKit zero-day vulnerabilities exploited in sophisticated attacks. Users should update devices immediately to stay secure.
Read more
