LayerX, a cybersecurity firm, has uncovered a sophisticated network of malicious browser extensions, dubbed “sleeper agents,” that are currently installed on nearly 1.5 million devices worldwide.
These extensions, masquerading as legitimate in-browser sound management tools, are built on a shared codebase and infrastructure, indicating a coordinated effort by a single developer or group.
Despite their benign appearance and useful-sounding features, these extensions harbor hidden capabilities.
They can execute remote commands, open background tabs, communicate with known malicious domains, and use encryption and base64 code obfuscation to hide their activity from traditional security tools.
This stealthy infrastructure allows attackers to activate malicious behavior at any time, turning unsuspecting users’ browsers into potential launchpads for future cyberattacks.
Shared Malicious Codebase and Remote Command Execution
A deep dive into the code reveals striking similarities with previously removed malicious extensions, most notably ReadBee (Extension ID: phjbepamfhjgjdgmbhmfflhnlohldchb).
The core of this infrastructure is the ExtStatTracker class, which silently tracks user activity and enables remote command execution.
This class encodes user data and sends it to external servers, such as readrbee.com, and can open arbitrary URLs in new tabs without user consent.
Below is a simplified excerpt of the ExtStatTracker class, highlighting its core functionality:
javascriptclass ExtStatTracker {
constructor() {
this.installUrl = "https://readrbee.com/install/";
this.uninstallUrl = "https://readrbee.com/uninstall/";
this.uid = "";
this.version = chrome.runtime.getManifest().version;
this.initStorage();
this.initListeners();
}
processQueue() {
// Sends encoded user data and executes remote commands
// Opens arbitrary URLs via chrome.tabs.create()
}
setUninstallUrl() {
// Sets uninstall URL with encoded user data
}
initListeners() {
// Listens for install/update events and queues actions
}
initStorage() {
// Retrieves and stores persistent user identifiers
}
}
const extStatTracker = new ExtStatTracker;
This infrastructure enables silent tracking, dynamic behavior injection, and persistent communication with external command-and-control (C2) servers, often using obfuscated and encrypted traffic to evade detection1.
Obfuscated Ownership and Widespread Impact
LayerX has identified at least four extensions involved in this campaign, all centered on sound management, with a combined user base exceeding 1.2 million.
These extensions are still available on the Chrome Web Store, and their publishers use different names, anonymous webmail addresses, and lack public-facing websites, making attribution nearly impossible.
Suspected Malicious Extensions
| Extension Name | Extension ID | Users |
|---|---|---|
| Sound Booster | pmilcmjbofinpnbnpanpdadijibcgifc | 200,000 |
| Volume Max – Ultimate Sound Booster | mgbhdehiapbjamfgekfpebmhmnmcmemg | 1,000,000 |
| Volume Master: Master Your Sound | eoejmjkddfbhhnbmklhccnppogeaeeah | 3,000 |
| Volume Booster: Ultimate Sound Enhancer | dlcgileladmbfijjmnleehhoebpggpjl | 2,000 |
Several of these extensions have already been flagged as malicious by security vendors on platforms like VirusTotal, yet they remain accessible to users.
The extensions communicate with domains such as francjohn[.]com and jermikro[.]com, some of which have histories of malware activity.
A New Era of Browser-Based Botnets
The discovery of this “sleeper” extension network signals a shift in cybercriminal tactics.
Instead of building traditional botnets from compromised IoT devices, attackers are leveraging browser extensions to gain persistent, stealthy access to sensitive user data, including cookies, passwords, and browsing activity.
The infrastructure allows for malicious capabilities to be activated or deactivated remotely, making continuous monitoring and vetting of browser extensions more important than ever.
Security experts urge users and organizations to remain vigilant, regularly audit installed extensions, and treat even seemingly innocuous tools with caution, as the threat landscape continues to evolve in sophistication and scale.
To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here
Source link
