More than 100 malicious extensions in the official Chrome Web Store are attempting to steal Google OAuth2 Bearer tokens, deploy backdoors, and carry out ad fraud. Researchers at application security company Socket discovered that the malicious extensions are part of a coordinated campaign that uses the same command-and-control (C2) infrastructure. The threat actor published the extensions under five distinct publisher identities in multiple categories: Telegram sidebar clients, slot machine and Keno games, YouTube and TikTok enhancers, a text translation tool, and utilities. According to the researchers, the campaign uses a central backend hosted on a Contabo VPS, with multiple subdomains handling session hijacking, identity collection, command execution, and monetization operations. Socket has found evidence indicating a Russian malware-as-a-service (MaaS) operation, based on comments in the code for authentication and session theft. The largest cluster, comprising 78 extensions, injects attacker-controlled HTML into the user interface via the ‘innerHTML’ property. The second-largest group, with 54 extensions, uses ‘chrome.identity.getAuthToken’ to collect the victim’s email, name, profile picture, and Google account ID. They also steal the Google OAuth2 Bearer token, a short-lived access token that permits applications to access a user's data or to act on their behalf.