A large-scale, coordinated campaign involving 108 malicious Chrome extensions that collectively harvested credentials, hijacked active sessions, and installed persistent backdoors across approximately 20,000 Chrome Web Store installs, all routing stolen data to a single shared command-and-control (C2) infrastructure.
Socket’s Threat Research Team published findings on April 13, 2026, identifying the extensions as part of a single operation controlled through cloudapi[.]stream, hosted on a Contabo GmbH VPS at 144[.]126[.]135[.]238.
Despite carrying five separate publisher names, Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt, all 108 extensions share the same backend infrastructure, the same C2 endpoints, and in many cases, identical malicious code.
Chrome Extensions Steal Telegram & Google Data
This tactic mirrors patterns observed in earlier browser extension campaigns, where fully functional products are used to lower user suspicion while malicious code executes silently in the background.
Users installing a Telegram sidebar saw a working chat interface; users installing a casino game received a playable game, yet all shared the same malicious backend infrastructure
The most dangerous extension in the campaign, Telegram Multi-account (obifanppcpchlehkjipahhphbcbjekfa), steals active Telegram Web sessions and transmits them to the threat actor’s server every 15 seconds.
The extension injects a content script into web.telegram.org the moment the page loads, it extracts the user_auth token from localStorage, and relays it to tg[.]cloudapi[.]stream/save_session.php via a background polling loop.
More critically, the extension supports a reverse operation: the C2 can push a replacement session into the victim’s browser, clearing their active Telegram session and silently swapping it with a threat actor-controlled account, with no password or two-factor authentication required.
A second extension, Teleside (mdcfennpfgkngnibjbpnpaafcjnhcjno), has the full session theft infrastructure in place but is not yet activated, suggesting a staged rollout.
Google Identities Harvested at Scale
54 of the 108 extensions harvest Google account identities the moment a user clicks the sign-in button. Using Chrome’s chrome.identity.getAuthToken API, each extension silently acquires an OAuth2 token, queries Google’s userinfo endpoint, and ships the victim’s email, full name, profile picture, and permanent account identifier (sub) to mines[.]cloudapi[.]stream/auth_google.
The sub value does not change when a user updates their password or email address, according to Socket, giving the operator a permanent, stable identity record for each victim.
Critically, all 54 extensions trace their OAuth2 client IDs to just two Google Cloud project numbers, definitively proving a single operator controls all five publisher identities.
45 extensions contain a loadInfo() backdoor function that executes automatically every time Chrome starts. It contacts mines[.]cloudapi[.]stream/user_info with the extension ID, and if the server returns a URL, the extension silently opens it as a new tab with zero user interaction.
In two extensions, Page Locker and Page Auto Refresh, the function appears stylistically inconsistent with surrounding minified code, indicating it was injected after the original extensions were acquired and repurposed by the threat actor.
Operated as a Malware-as-a-Service Platform
A payment portal at topup[.]cloudapi[.]stream, linked from 78 extensions, now displays a Rodeo Games Studio about page advertising a Chrome Extension monetization business.
This confirms the campaign operates as a Malware-as-a-Service (MaaS) platform, where stolen identities and active sessions are sold to paying customers through a structured CRM backend.
Attribution indicators point to a Ukrainian-Russian operator. Russian-language code comments appear across multiple extension files, and three developer email addresses contain romanized variants.
A copy-paste error in a bundled privacy policy file titled “Privacy Policy – Telegram Sidebar Extension” inside a TikTok extension directly ties multiple publisher accounts to the same author.
What Users Should Do Now
Socket has submitted takedown requests to both the Chrome Web Store and Google Safe Browsing, but all 108 extensions were still live at the time of publication.
Users who installed Telegram Multi-account while using Telegram Web should immediately terminate all active sessions via Telegram mobile → Settings → Devices → Terminate all other sessions.
Those who signed into any of the 54 identity-stealing extensions using Google should revoke unfamiliar app permissions at myaccount.google.com/permissions.
Security teams are advised to block cloudapi[.]stream and all subdomains at the network level, and flag any Chrome extension bundles containing the loadInfo() / infoURL / chrome.tabs.create pattern as high-priority threats.
No Comment! Be the first one.