Malicious Chrome VPN Extensions Installed 1.5 Million Times Hijacks Browser

In a recent cybersecurity revelation, a highly sophisticated cyber attack campaign has emerged, weaving a web of deceit through malicious web extensions cunningly disguised as VPNs. 

ReasonLabs, a cybersecurity firm, has discovered online piracy tactics involving hidden web extensions.


The assailants employed a multifaceted strategy, exploiting the allure of pirated game torrents featuring popular titles such as GTA and Assassin’s Creed as their primary attack vectors.

The focal point of this insidious campaign revolves around the deployment of fake VPN extensions, masquerading as “netPlus” for Chrome users and “netSave/netWin” for Edge enthusiasts. 

Astoundingly, these extensions managed to amass a staggering 1.5 million downloads, catapulting unsuspecting users into a realm of peril.

Source: chrome-statsuser count

The malicious activities orchestrated by these insidious extensions are far-reaching. 

They include hijacking browser activity and web requests, disabling competing cash-back extensions, and surreptitiously installing additional extensions to amplify their manipulation capabilities. 

The potential motives behind this covert operation include collecting user data and injecting intrusive advertisements.

Additional Insights

Delving into the technical intricacies of the attack, the Trojan installer embedded within pirated game torrents employs an innovative registry method for forcefully installing these malevolent extensions. 

Furthermore, these extensions establish communication channels with command-and-control (C2) servers, revealing a disconcerting connection to Russia-based domains upon network analysis.

The ramifications of this cyber onslaught are profound: compromising user privacy, manipulating browsing activity for potential financial gains through cashback manipulation and ad injection, and exposing users to heightened risks of identity theft and other cybercrimes.

Unraveling additional insights, it becomes apparent that the attack campaign specifically targeted Russian-speaking users, employing advanced techniques to circumvent browser security measures. 

Swift action was taken by Google, who promptly removed all identified extensions from the Chrome Web Store, underscoring the imperative role platforms play in safeguarding users against such threats.


In the wake of this revelation, users must exercise caution and refrain from downloading content from unofficial sources, particularly pirated files. 

Essential precautions include the deployment of robust antivirus and anti-malware software equipped with browser protection. 

Users are urged to meticulously review browser extensions before installation, remaining vigilant against potential threats.

The significance of reporting any suspicious activity to relevant authorities cannot be overstated, as collective efforts are essential in combating the ever-evolving landscape of cybercrime. 

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.