Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
A sophisticated coordinated malicious browser extension campaign has been uncovered targeting enterprise human resources and enterprise resource planning platforms including Workday, NetSuite, and SAP SuccessFactors through five malicious Google Chrome extensions posing as legitimate productivity and access management tools. This enterprise-focused Chrome extension attack campaign operates through coordinated actions among multiple malicious extensions working in concert to steal authentication session tokens, actively disrupt incident response activities by manipulating administrative interfaces, and ultimately enable complete account takeover through sophisticated session hijacking techniques. The malicious Chrome extensions, with four linked to the publisher “databycloud1104” and a fifth operating under “software access” while sharing identical backend infrastructure, have collectively reached over 2,300 enterprise users, demonstrating significant operational scale and threat actor intent to compromise corporate HR and ERP systems. The Chrome extension malware campaign employs a dangerous combination of continuous authentication cookie exfiltration, deliberate blocking of security control interfaces, and direct session injection capabilities that create a containment nightmare for affected organizations. By continuously stealing fresh session tokens and simultaneously preventing security administrators from accessing credential rotation interfaces, session management dashboards, and audit logging systems, these malicious extensions create scenarios where unauthorized access can be detected through anomaly monitoring but cannot be effectively contained or remediated through standard defensive measures. The extensions are deceptively marketed with polished professional branding, reassuring security-focused language, and privacy policies explicitly claiming no user data collection occurs, enabling them to blend seamlessly into corporate workflows targeting administrators and consultants managing multiple enterprise tenants. All five malicious extensions share common technical indicators including identical API communication paths, matching lists of security extensions targeted for interference, and similar code obfuscation and anti-debugging techniques designed to frustrate security research and reverse engineering efforts.
Security researchers have uncovered a coordinated cluster of five malicious Google Chrome browser extensions specifically engineered to infiltrate and compromise enterprise human resources and enterprise resource planning platforms, with documented targeting of Workday HR management systems, Oracle NetSuite ERP platforms, and SAP SuccessFactors talent management applications. While the malicious extensions present themselves to potential victims as legitimate productivity enhancement tools and enterprise access management utilities, these Chrome extensions work in sophisticated technical concert to steal critical authentication tokens, systematically suppress incident response actions through interface manipulation, and ultimately enable complete account takeover through session hijacking attacks that bypass multi-factor authentication protections. Four of the five malicious Chrome extensions are directly linked to the Chrome Web Store publisher account “databycloud1104,” with a fifth extension operating under the publisher name “software access” while relying on identical backend command-and-control infrastructure and sharing common code patterns. Collectively across all five malicious extensions, the campaign has already compromised over 2,300 enterprise users accessing HR and ERP platforms, underscoring the significant operational scale of this coordinated browser-based attack campaign and demonstrating clear threat actor intent to establish persistent access to sensitive corporate systems managing employee data, payroll information, and financial records.
At the technical implementation level, the malicious Chrome extension campaign relies on a sophisticated blend of authentication cookie exfiltration, browser-level DOM manipulation, and active session injection capabilities. The malicious extensions continuously extract critical session authentication cookies from browsers, particularly targeting cookies used for maintaining authenticated sessions with Workday, NetSuite, and SuccessFactors platforms, and immediately transmit these stolen credentials to attacker-controlled command-and-control servers. Some of the more advanced malicious extensions go significantly further by actively injecting previously stolen authentication cookies back into victim browsers, allowing remote threat actors to assume valid authenticated user sessions without ever requiring knowledge of account passwords or triggering multi-factor authentication challenges that would normally protect against unauthorized access. Operating in parallel with cookie theft operations, other malicious extensions in the coordinated campaign manipulate browser Document Object Model structures to systematically block user access to security-critical administrative pages, effectively preventing legitimate security defenders from managing active sessions, rotating compromised credentials, reviewing security audit logs, or implementing emergency access controls once suspicious activity is detected through security monitoring systems.
The malicious Chrome extensions employ sophisticated social engineering through deceptive marketing tactics designed to build false trust with enterprise users and IT administrators. The extensions are marketed through polished professional branding including high-quality mockup screenshots, detailed feature descriptions emphasizing productivity benefits, and reassuring security-focused language specifically crafted to appeal to corporate IT environments concerned with data protection compliance. Extension permission requests are carefully crafted to resemble those commonly requested by legitimate enterprise tooling and productivity extensions, reducing suspicion during the installation approval process. Perhaps most deceptively, the malicious extensions all publish comprehensive privacy policies that explicitly claim no user data is collected or misused for any purpose, with none disclosing the actual cookie harvesting operations, session monitoring behaviors, or administrative interface blocking capabilities that represent the core malicious functionality. This deliberate disconnect between public-facing marketing claims and actual operational behavior allows the malicious extensions to blend seamlessly into corporate browser environments, particularly targeting IT administrators and external consultants who routinely manage authentication across multiple enterprise tenant environments and therefore represent high-value targets with privileged access to sensitive corporate systems.
All five malicious Chrome extensions share common technical infrastructure indicators that clearly demonstrate coordinated development and operation under unified threat actor control. The extensions utilize identical API communication paths for command-and-control callbacks, maintain matching hardcoded lists of security-focused browser extensions targeted for detection and interference, and employ similar JavaScript code obfuscation techniques and anti-debugging countermeasures specifically designed to frustrate security research efforts and malware reverse engineering activities. Some of the more technically sophisticated malicious extensions actively detect when Chrome Developer Tools are opened by security researchers and immediately disable debugging capabilities or alter execution flow to hide malicious behaviors. Other extensions specifically interfere with password input field inspection functionality to conceal credential handling operations from security analysis. Particularly concerning, two of the five malicious extensions are dedicated almost entirely to blocking access to security-critical administrative pages across targeted enterprise platforms, ensuring that even when security operations teams detect suspicious authentication patterns or anomalous user behaviors, incident responders find themselves completely unable to take standard corrective actions such as disabling compromised accounts, forcing credential resets, or implementing emergency access restrictions.
The coordinated malicious Chrome extension campaign creates a genuine containment nightmare scenario for affected enterprise security teams. The continuous authentication token theft operations ensure that threat actors always maintain access to fresh valid session credentials even as older stolen tokens expire through normal session timeout mechanisms. Simultaneously, the systematic blocking of administrative security interfaces makes traditional incident response remediation procedures completely ineffective, as security teams discover they cannot access the very controls needed to contain the breach. Organizations may successfully detect anomalous access patterns through security information and event management correlation, user behavior analytics alerts, or impossible travel detection systems, yet find themselves unable to disable the compromised accounts, rotate affected credentials, or enforce new access policies through normal administrative channels. In extreme cases documented by security researchers, affected organizations are left with only highly disruptive remediation options such as completely migrating all affected users to entirely new accounts with fresh credentials, rebuilding user profiles from scratch, or temporarily shutting down access to enterprise platforms while malicious extensions are manually removed from all potentially compromised endpoints across the organization. This malicious Chrome extension campaign highlights fundamental security risks inherent in browser extension architectures and demonstrates why enhanced scrutiny of seemingly legitimate productivity browser add-ons represents a critical defensive requirement for enterprise security programs.
Remove identified malicious Chrome extensions immediately: All users who have installed any of the five identified malicious extensions including “DataByCloud Access,” “Tool Access 11,” “DataByCloud 1,” “DataByCloud 2,” or “Software Access” should immediately remove these extensions from their Chrome browsers and verify complete removal by navigating to chrome://extensions and confirming the extensions no longer appear in installed extension listings. Users should additionally clear all browser cookies and cached data after extension removal to eliminate any residual session tokens that may have been compromised during the infection period.
Conduct comprehensive enterprise-wide browser extension audit: Enterprise security teams should immediately initiate comprehensive audits of all Google Chrome browser extensions installed across the organization’s endpoint fleet, specifically searching for the five identified malicious extension IDs (oldhjammhkghhahhhdcifmmlefibciph, ijapakghdgckgblfgjobhcfglebbkebf, makdmacamkifdldldlelollkkjnoiedg, mbjjeombjeklkbndcjgmfcdhfbjngcam, bmodapcihjhklpogdpblefpepjolaoij) and any extensions published by the “databycloud1104” or “Software Access” publisher accounts. Deploy Chrome enterprise policy queries or endpoint detection tools to programmatically inventory installed extensions across all managed devices.
Force credential resets for all potentially affected enterprise platforms: All users who may have been exposed to the malicious Chrome extensions should immediately perform complete password resets for Workday HR systems, Oracle NetSuite ERP platforms, SAP SuccessFactors applications, and any other enterprise platforms accessed through potentially compromised Chrome browsers. Organizations should implement forced credential rotation policies through identity management systems to ensure all affected users complete password changes within defined timeframes.
Implement browser extension allowlisting through enterprise policies: Deploy Chrome enterprise browser management policies leveraging Google Workspace or Microsoft Endpoint Manager that strictly limit browser extension installation to pre-approved extensions on organizational allowlists, preventing end users from installing unvetted extensions directly from the Chrome Web Store without IT security approval. Establish formal extension vetting procedures requiring security team review of permissions, publisher reputation, and code behavior before additions to approved extension catalogs.
Deploy network detection monitoring for malicious C2 domains: Implement comprehensive network monitoring rules configured to detect and alert on HTTP/HTTPS traffic directed to identified command-and-control domains including api.databycloud.com, api.software-access.com, and associated subdomains. Configure network security appliances to generate high-priority security alerts on any outbound connections to newly registered domains, low-reputation hosting providers, or domains with suspicious WHOIS registration patterns that match threat actor infrastructure characteristics.
Enforce robust multi-factor authentication across all enterprise platforms: Ensure comprehensive multi-factor authentication requirements are enabled and actively enforced on all enterprise HR and ERP platforms, particularly Workday, NetSuite, and SAP SuccessFactors systems, to provide defense-in-depth protection against session hijacking attacks even when authentication cookies are successfully stolen. Implement phishing-resistant MFA methods such as FIDO2 hardware security keys or biometric authentication for administrative accounts with elevated privileges across enterprise platforms.
Get through updates and upcoming events, and more directly in your inbox