Nasty Chrome extension can steal your passwords and credit card info — what to do

Laptop computer displaying logo of Google Chrome, a cross-platform web browser developed by Google.
(Image credit: Shutterstock)

Browser extensions can add new functionality to help you get more done in Google Chrome, Microsoft Edge and other Chromium-based web browsers but they can also be used as a means to take over your PC or even to infect it with malware.

As reported by BleepingComputer, a new botnet called Cloud9 has been discovered by security researchers at Zimperium. The botnet uses malicious extensions to log keystrokes, steal passwords, inject ads and infect vulnerable computers with malware. Browsers with this malicious extension installed can even be used to launch DDoS attacks designed to take over websites by overwhelming them with traffic.

The Cloud9 browser extension works just like a remote access trojan (RAT) and hackers can use it to remotely execute commands in a victim’s browser once it has been added to either Chrome or Edge.

Distributed through fake programs and Flash Player updates

Unlike with the best Google Chrome extensions, you won’t find Cloud9 on the Chrome Web Store, as this malicious extension would be easily detected and blocked by Google’s security team. Instead, hackers are using some of their most common tactics to trick users into installing it themselves.

In a blog post detailing the findings of its security researchers, Zimperium explains that the most common distribution methods for Cloud 9 are “fake executables and malicious websites disguised as Adobe Flash Player updates”.

The Adobe Flash logo

(Image credit: Adobe)

While these fake executables are likely pirated software that potential victims download to avoid paying for legal versions, fake Adobe Flash Player updates aren’t nearly as popular among hackers as they used to be. This is because Adobe officially ended support for its once ubiquitous Flash Player back in January 2021. At that time, the company behind Photoshop and some of the other best photo editing software recommended that users uninstall Flash Player on their devices to avoid falling victim to fake updates like these.

Even though Adobe Flash Player has since been discontinued, fake websites still use updates for the software to trick unsuspecting users into downloading malware and in this case, a malicious extension.

Exploiting vulnerabilities to infect Windows devices with malware


(Image credit: solarseven/Shutterstock)

Once installed in Chrome or Edge, Cloud9 uses three JavaScript files to collect system information, to mine for cryptocurrency using an infected PC and to carry out DDoS attacks.

This malicious extension can also infect your computer with malware by exploiting known vulnerabilities in Edge and even Internet Explorer. Once malware has been installed on a system running Cloud9, the hackers behind it can log keystrokes to steal passwords entered on your computer. However, the extension also has a “clipper” module that monitors your system’s clipboard for copied password or credit card information.

Cloud9 is even able to inject ads by loading webpages in the background which generates ad revenue for its creators. If your PC has this malicious extension installed, you may notice that it’s running slower than usual — this could be a sign that your system is being used to perform DDoS attacks.

Zimperium’s researchers also observed that Cloud9 is being heavily promoted on hacking forums. Just like with malware-as-a-service, this malicious extension can be used by other cybercriminals to carry out their own attacks — for a price.

How to stay safe from malicious browser extensions

An image of a person using a laptop

(Image credit: Shutterstock)

The easiest way to avoid malicious extensions is by making sure you only download new ones from the Chrome Web Store for Google Chrome or from the Microsoft Edge Add-ons store for Microsoft Edge. Still, bad extensions do manage to slip past Google and Microsoft from time to time, which is why you should probably have one of the best antivirus software solutions installed on your PC.

Just like with apps for your smartphone, you should always ask yourself whether or not you really need an extension before installing it. If one seems too good to be true or it offers to give you access to a paid service for free, then there’s a high possibility that it could be malicious. Hackers and other cybercriminals often create fake extensions as a way to gain a foothold on your PC which is why you need to be careful when installing any new extension.

In a statement to BleepingComputer, a Google spokesperson also recommends ensuring that you have the latest version of Chrome installed on your devices as it will have “the most up-to-date security protections.” This also holds true for Microsoft Edge and any other Chromium-based browser like Opera, Vivaldi and Brave.

For additional protection on Google Chrome, you can also turn on the search giant’s Enhanced Protection feature in the browser’s privacy and security settings. This will help keep you protected from malicious executables while also automatically warning you about risky downloads.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.