Cybersecurity researchers have uncovered a coordinated attack involving five malicious Google Chrome extensions that were falsely presented as tools related to enterprise platforms like Workday and NetSuite. These extensions were designed to silently take control of user accounts inside corporate environments.
The extensions appeared legitimate on the surface but were actually created to steal active login sessions and block security response actions.
Malicious Extensions Identified
The following five Chrome extensions were confirmed as part of the same attack campaign:
- DataByCloud Access
- Tool Access 11
- DataByCloud 1
- DataByCloud 2
- Software Access
Most of these were published under different developer names, but security researchers confirmed they shared the same internal logic and backend servers, indicating a single organized operation.
What These Extensions Did
Once installed, the extensions requested high-level browser permissions, especially access to cookies and scripting on Workday and NetSuite domains. After that, the attack progressed in stages:
- Authentication session theft
The extensions extracted login cookies from the browser and sent them to attacker-controlled servers at regular intervals. - Blocking of security controls
Some extensions actively altered internal Workday pages, making important admin and security sections unusable. This included pages related to:
- Session hijacking
One extension, Software Access, went a step further by injecting stolen cookies into another browser, allowing attackers to log in as the victim without needing credentials or MFA.
Why This Attack Stands Out
This was not a generic malware campaign. It was specifically built for enterprise abuse. By targeting HR and ERP platforms, attackers could gain access to:
- Employee and payroll data
- Internal workflows
- Administrative controls
- Sensitive company records
Some of the extensions were first published as early as 2021, showing how long such threats can remain unnoticed when disguised as productivity tools.
Current Status
Most of the malicious extensions have been removed from the Chrome Web Store, but copies are still being distributed through third-party software websites. Researchers believe similar extensions may reappear under new names.