Listen to this Post

Security researchers at LayerX Security have uncovered a persistent malware campaign exploiting fake VPN and ad-blocking Chrome extensions to steal sensitive browsing data and manipulate online traffic. Despite repeated removal efforts, these malicious extensions continue to resurface in browser stores, exposing millions of users to serious privacy and security risks. The latest variants remain active, with over 31,000 users still vulnerable.
Fake VPN Extensions Target Users with False Promises
Disguised as “Free Unlimited VPN” services, these extensions claimed to provide anonymity, faster browsing, and unrestricted access to websites. In reality, they operated as advanced surveillance tools. Between 2019 and 2025, multiple variants shared the same infrastructure, branding, and descriptions, such as “VPN Professional Free Secure and Unlimited VPN Proxy.” Even after Chrome removed two versions in May 2025, nearly identical clones appeared by July, demonstrating the resilience of these attacks.
How the Malware Operates
LayerX Security’s analysis revealed that these extensions fetched remote configuration files, altered Chrome’s proxy settings in real time, and intercepted every page users visited. The embedded code allowed attackers to route traffic through proxy servers they controlled. Additionally, the extensions collected browsing data and installed add-on lists, transmitting them to remote servers connected to domains like free-vpn.pro, adsblocker.top, and configanalytics.icu.
Advanced Remote Control Features
The malicious extensions exploited permissions such as webRequest, proxy, and declarativeNetRequest, granting near-total control over browser traffic. Older versions manipulated JavaScript to decode hidden URLs and silently installed remote proxy auto-config (PAC) scripts. Newer iterations introduced stealth tactics, including delayed proxy activation, dynamic code downloads, and the ability to disable competing extensions.
Evasion and Persistence Techniques
PAC files rerouted all user requests through attacker-controlled servers, enabling passive monitoring, content injection, and potential credential theft. The extensions could uninstall themselves when detecting scrutiny and even modify browsing history to conceal traces of their activity. Researchers also identified clones masquerading as music downloaders or ad blockers hosted on domains like okmusic.pro and adscleaner.top, sharing identical code and infrastructure, suggesting a coordinated, ongoing operation.
Hidden Risks in “Free” Browser Tools
This campaign highlights the dangers of seemingly harmless browser extensions. Any tool requesting broad permissions over proxies or network settings can monitor every website visited. Users and enterprises are urged to scrutinize extension permissions, avoid unknown VPN providers, and maintain continuous monitoring to prevent infiltration by malicious software disguised as legitimate privacy tools.
What Undercode Say: Deep Dive Analysis
The persistence of these malicious VPN extensions demonstrates a highly organized and adaptable threat actor operating over multiple years. The repeated resurfacing of near-identical clones indicates that takedowns alone are insufficient; attackers exploit minor variations and timing to stay ahead of detection mechanisms. From a technical perspective, leveraging permissions like webRequest and proxy gives these extensions unprecedented visibility into a user’s online activity, effectively turning browsers into passive surveillance tools.
The use of PAC files to reroute traffic, combined with dynamic code execution, shows a shift toward stealth and evasion. Delayed activation and the ability to disable competing extensions reflect a level of sophistication typically associated with advanced persistent threats rather than casual malware campaigns. Furthermore, the integration of monitoring, data exfiltration, and potential credential theft illustrates that these extensions are not merely annoyances—they are serious security threats capable of compromising sensitive user information.
Organizationally, the campaign’s infrastructure consistency, including repeated use of domains, email addresses, and codebases, signals a professionalized operation rather than opportunistic attacks. This implies financial or strategic motivation behind the campaign, likely tied to data monetization, targeted ad manipulation, or credential resale on underground markets.
The implications for enterprise security are particularly concerning. Employees using even a single compromised browser extension can expose company networks to intrusions. Security policies must extend beyond traditional antivirus solutions to include browser extension monitoring, permission auditing, and ongoing threat intelligence.
Behaviorally, the campaign exploits user trust in “free” tools—a psychological leverage that cybercriminals have long relied upon. Many users associate VPNs and ad blockers with privacy, making them prime targets for social engineering within legitimate-looking software ecosystems. This underscores the necessity for user education alongside technological safeguards.
Looking forward, we can expect attackers to further innovate with machine-learning-assisted evasion, encrypted configuration updates, and more sophisticated methods for bypassing browser store checks. Security teams must anticipate these shifts and adopt proactive monitoring tools, automated anomaly detection, and threat hunting to mitigate evolving risks.
🔍 Fact Checker Results
✅ Malware campaign confirmed by LayerX Security reports
✅ Over 9 million previous installations and 31,000 active users
❌ No evidence that Chrome store alone can fully prevent future variants
📊 Prediction
The resurgence of malicious browser extensions is likely to continue, with attackers refining stealth techniques and expanding into other browsers. Expect an increase in enterprise-targeted campaigns exploiting proxy permissions. Users and organizations investing in continuous monitoring, proactive permission audits, and advanced endpoint protection will be better positioned to defend against evolving browser-based malware threats. 🚨🔒
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




