A large browser extension campaign has compromised more than 130,000 users by disguising malicious tools as TikTok video downloaders, with researchers at LayerX Security saying the operation targeted both Google Chrome and Microsoft Edge marketplaces and left about 12,500 infections still active.
Attackers published at least 12 extensions that appeared legitimate, using names such as TikTok Video Downloader and Mass TikTok Downloader. Rather than building each one separately, they relied on a shared codebase that allowed them to quickly clone and rebrand applications. When one extension was removed by store moderators, a nearly identical version was uploaded with the same descriptions and visuals, helping keep the campaign active. Several of the extensions also obtained featured status in official extension stores, a label typically linked to trusted and vetted applications that significantly boosted user confidence and download rates.
FCRF Returns With CDPO, Its Premier Data Protection Certification for Privacy Professionals
Malicious Features Activated After Trust Was Built
The extensions initially behaved as advertised for several months, helping them avoid early detection. Only after building user trust and a large install base did the attackers remotely enable tracking and data harvesting functions.
Once activated, the tools began collecting detailed telemetry to build unique user fingerprints. The data gathered included browsing patterns, download metadata, system language, timezone and even battery status, an unusual metric that can help uniquely identify devices. This level of tracking enabled persistent user identification across sessions and raised serious privacy and security concerns.
Dynamic Remote Configuration Enabled Evasion
The campaign’s sophistication lay in its use of dynamic remote configuration. All extensions were built using Manifest V3 and retrieved operational instructions from attacker controlled servers after installation. This allowed threat actors to alter behaviour in real time without triggering store security checks.
The operation relied on external JSON based configuration files hosted on attacker controlled domains. Those domains used typosquatting techniques, including names such as trafficreqort.com and tiktak, to appear legitimate and avoid detection by both users and automated tools. Through this mechanism, attackers could activate malicious features after installation, modify data collection settings without user consent, redirect traffic to suspicious or malicious domains, and expand surveillance capabilities dynamically.
Browser Security Model Comes Under Strain
The campaign has drawn attention to a critical weakness in browser security models, which largely focus on extension validation at the point of installation. Because the malicious behaviour was activated only after installation, the tools were able to bypass traditional defences.
Since browser extensions operate inside authenticated sessions, they can potentially access sensitive data and may also be used in larger attacks, including botnet deployment. Although no specific threat group has been named, the coordinated infrastructure and shared codebase point to a well organised and persistent actor. Security experts have urged organisations to adopt continuous monitoring that can detect suspicious network requests, unauthorised permission changes and unusual DOM interactions to counter evolving extension based threats.
