Analysis Summary

A new browser-based cyber threat has come to light as a security firm exposes a covert network of malicious Chrome extensions operating as “sleeper agents.” These extensions, which are still available on the Chrome Web Store, have silently infected more than 1.5 million devices worldwide. What makes this campaign especially dangerous is its deceptive nature: the extensions appear to be harmless audio tools like “Sound Booster” or “Volume Master,” yet beneath their surface lies an advanced, hidden malware infrastructure capable of carrying out serious malicious activities.

Investigation reveals that these extensions are not standalone tools but part of a coordinated malware ecosystem. Though marketed as sound management tools, the extensions share a common code base and infrastructure linked to previous malicious add-ons such as “ReadBee.” They leverage encrypted and obfuscated communication techniques, use silent background execution to access URLs, and are capable of receiving remote instructions, all without user knowledge or consent.

One of the standout features is the use of remote configuration files to dynamically control extension behavior after installation. This includes opening arbitrary tabs, fetching new commands, and redirecting users, a method also seen in prior affiliate fraud and spyware campaigns. A key component named ExtStatTracker facilitates coordination between infected systems via Chrome’s internal chrome.storage API, making them act like lightweight, browser-based botnets.

These extensions are published under different anonymous developer accounts, with no official websites or contact information, making attribution and takedown difficult. Despite exhibiting multiple red flags, including detection by VirusTotal, most remain available in the Chrome Web Store, raising concerns about the effectiveness of current browser extension vetting processes.

Impact

• Credential Theft
• Gain Access

Indicators of Compromise

URL

• https://jermikro.com/api/
• https://francjohn.com/api/action/

Remediation

• Remove the identified Chrome extensions from all endpoints immediately.
• Audit all Chrome extensions installed organization-wide and restrict installation permissions.
• Block communication to known malicious domains used by these extensions at the firewall/DNS level.
• Monitor Chrome extension permissions for suspicious behavior (e.g., tab access, external communication).
• Educate employees to avoid installing browser extensions from unknown or unofficial developers.
• Use browser management tools (e.g., Google Workspace Admin, GPO) to enforce extension allowlists.
• Scan infected systems for credential theft or browser-based persistence techniques.
• Enable network monitoring to detect abnormal outbound browser traffic, especially from extensions.