Jan 19
/
Latest News
Malicious Chrome Extensions Target Enterprises with RATs
Security researchers have uncovered a coordinated wave of malicious browser extensions explicitly designing to bypass traditional security controls and deploy remote access trojans (RATs) onto corporate networks.
The alarm was raised following the discovery of "NexShield," a malicious extension masquerading as a legitimate ad blocker to lure users into compromising their own systems. Huntress researchers identified that the extension, which was distributed via the official Chrome Web Store and promoted through Google Search ads, utilized complex social engineering to target domain-joined machines—typically high-value corporate endpoints with access to Active Directory and sensitive internal resources. Victims were drawn in by promises of a safer browsing experience and a download page claiming the software was built by the creator of the popular uBlock Origin. Once installed, the extension functioned as a clone of the legitimate software for an hour before initiating a denial-of-service (DoS) loop, freezing the browser to force the user into a panic.
When users attempted to restart their browsers, NexShield displayed a fabricated "CrashFix" security warning. This pop-up instructed victims to open the Windows Run dialog and paste a command from their clipboard to "fix" the issue. Unbeknownst to the user, the extension had silently copied a malicious PowerShell script to the clipboard. By following the instructions, victims inadvertently downloaded a previously undocumented Windows remote access trojan, dubbed "ModeloRAT," using the legitimate Windows utility finger.exe to bypass detection. The malware specifically checks for domain-joined status, indicating a strategic preference for enterprise environments where attackers can pivot laterally to harvest credentials and access higher-value assets. While NexShield has since been removed from the store, it highlights a growing trend of utilizing the browser as a beachhead for corporate espionage.
The threat to enterprise environments extends beyond remote access tools to direct attacks on business-critical applications. Distinct research from Socket identified a separate cluster of five malicious extensions targeting human resources and enterprise resource planning (ERP) platforms, including Workday, NetSuite, and SAP SuccessFactors. Masquerading as productivity tools under names like "DataByCloud" and "Software Access," these extensions were collectively downloaded by 2,300 users. Once installed, they exfiltrated authentication cookies to remote servers, allowing attackers to hijack active sessions. Crucially, these extensions also blocked access to security administration pages, preventing IT teams from changing passwords or managing two-factor authentication. Socket researchers described this as a "containment failure," forcing organizations to migrate users to entirely new accounts to stop the unauthorized access, significantly disrupting business operations. Experts are now urging enterprise administrators to enforce strict allowlists, disable Developer Mode on browsers, and actively monitor all installed extensions for post-update behavioral changes.
The alarm was raised following the discovery of "NexShield," a malicious extension masquerading as a legitimate ad blocker to lure users into compromising their own systems. Huntress researchers identified that the extension, which was distributed via the official Chrome Web Store and promoted through Google Search ads, utilized complex social engineering to target domain-joined machines—typically high-value corporate endpoints with access to Active Directory and sensitive internal resources. Victims were drawn in by promises of a safer browsing experience and a download page claiming the software was built by the creator of the popular uBlock Origin. Once installed, the extension functioned as a clone of the legitimate software for an hour before initiating a denial-of-service (DoS) loop, freezing the browser to force the user into a panic.
When users attempted to restart their browsers, NexShield displayed a fabricated "CrashFix" security warning. This pop-up instructed victims to open the Windows Run dialog and paste a command from their clipboard to "fix" the issue. Unbeknownst to the user, the extension had silently copied a malicious PowerShell script to the clipboard. By following the instructions, victims inadvertently downloaded a previously undocumented Windows remote access trojan, dubbed "ModeloRAT," using the legitimate Windows utility finger.exe to bypass detection. The malware specifically checks for domain-joined status, indicating a strategic preference for enterprise environments where attackers can pivot laterally to harvest credentials and access higher-value assets. While NexShield has since been removed from the store, it highlights a growing trend of utilizing the browser as a beachhead for corporate espionage.
The threat to enterprise environments extends beyond remote access tools to direct attacks on business-critical applications. Distinct research from Socket identified a separate cluster of five malicious extensions targeting human resources and enterprise resource planning (ERP) platforms, including Workday, NetSuite, and SAP SuccessFactors. Masquerading as productivity tools under names like "DataByCloud" and "Software Access," these extensions were collectively downloaded by 2,300 users. Once installed, they exfiltrated authentication cookies to remote servers, allowing attackers to hijack active sessions. Crucially, these extensions also blocked access to security administration pages, preventing IT teams from changing passwords or managing two-factor authentication. Socket researchers described this as a "containment failure," forcing organizations to migrate users to entirely new accounts to stop the unauthorized access, significantly disrupting business operations. Experts are now urging enterprise administrators to enforce strict allowlists, disable Developer Mode on browsers, and actively monitor all installed extensions for post-update behavioral changes.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.