Malicious Chrome Extensions Impersonate Fortinet, YouTube, and VPN Services to Steal Your Data

A recently uncovered cyberattack campaign has highlighted a growing threat: more than 100 malicious Chrome extensions have been identified, masquerading as legitimate tools such as Fortinet, YouTube, DeepSeek AI, and various VPN services. Although these extensions appear trustworthy, they are designed to exfiltrate sensitive data, manipulate network traffic, and grant attackers control over browsing sessions.

An impersonation-based campaign

These malicious extensions are distributed through a carefully crafted network of domains that mimic authentic products or services. Domains such as forti-vpn[.]com, youtube-vision[.]com, and deepseek-ai[.]link are used to build trust by associating themselves with well-known brands and tools. Users searching for enhanced VPN services or more advanced AI tools are drawn to these professional-looking websites and Chrome Web Store listings.

How the malicious extensions operate

Once installed, these extensions establish communication with remote servers controlled by the attackers. They then begin collecting browsing cookies, session tokens, and other valuable information. Using this data, attackers can impersonate users, hijack sessions, and gain access to sensitive accounts.

In addition, these extensions can receive and execute commands in real time, allowing attackers to:

• Redirect traffic to phishing websites

• Inject malicious advertisements or pop-ups

• Act as a proxy to route traffic through the infected device

• Conduct “man-in-the-browser” attacks

A threat to both businesses and individuals

This type of attack is particularly concerning in professional environments, where a compromised browser can serve as an entry point to business applications, messaging systems, customer data platforms, and more. Many organizations do not strictly manage browser extensions, allowing employees to install seemingly useful plugins that may, in fact, be dangerous.

How to protect yourself

To mitigate the risks posed by these malicious extensions, it is recommended to:

• Restrict extension installation: Use Chrome enterprise policies to allow only pre-approved extensions.

• Regularly audit installed extensions: Periodically review the extensions installed on employees’ browsers.

• Monitor network activity: Detect anomalies in outbound traffic, especially toward suspicious or low-reputation domains.

• Train employees: Raise awareness among staff about the risks of third-party extensions and how to identify fraudulent tools.

Conclusion

This campaign highlights that browser extensions—once considered simple productivity tools—can now represent a serious security threat. Attackers are becoming increasingly sophisticated, exploiting users’ trust in seemingly legitimate products.

Remaining vigilant and treating browser security as a core component of an overall cybersecurity strategy is essential.