A widespread browser campaign has infected millions of users through seemingly harmless “Free Unlimited VPN” Chrome extensions. These malicious tools, which collectively garnered over 9 million installations, operated for nearly six years, secretly hijacking user traffic and stealing sensitive browsing data. Research by LayerX Security analysts uncovered this sophisticated operation, highlighting the significant risks associated with free VPN services and the vulnerabilities inherent in browser extension security.
The campaign, active from 2019 to May 2025, involved at least three distinct, yet nearly identical, malicious extensions. These extensions were marketed as simple, one-click solutions for online privacy, but instead functioned as sophisticated proxy systems. They communicated with attacker-controlled servers to dynamically alter proxy settings, intercepting all user web traffic and exfiltrating personal information, including login credentials and financial data.
Malicious ‘Free’ VPN Extension Caught Hijacking User Traffic
The malicious ‘Free’ VPN extension campaign primarily involved two versions, Extension A and Extension B, both sharing the support domain free-vpn.pro. Extension A was created in September 2019, and Extension B followed in May 2020. Both exhibited the same core malicious behavior: redirecting user traffic through unauthorized servers controlled by the attackers. This allowed the operators to gain unrestricted access to users’ online activities and sensitive data.
Following the detection and removal of these initial versions, a third nearly identical extension, Extension C, emerged just two months later in July 2025. This rapid reappearance suggests that the operators remain committed to their surveillance infrastructure and are actively working to evade security measures.
A key finding from LayerX Security analysts was the evolution of the malware’s tactics. The later versions, particularly Extension C, demonstrated advanced evasion techniques designed to bypass security research tools and processes. This includes implementing short delays before activating the proxy functionality and dynamically downloading and executing malicious code at runtime.
Stealthy Evasion and Dynamic Control Techniques
Extension C employed specific methods to avoid detection and maintain persistent control over a user’s browser. According to the LayerX Security report, this version introduced two-second delays before proxy activation, a technique likely aimed at circumventing sandbox-based analysis tools commonly used in cybersecurity. This delay made it harder for automated systems to identify the malicious behavior during initial inspection.
Furthermore, the extension performed dynamic code execution, downloading its core proxy routing logic only when needed. This prevented static code analysis from fully revealing the extent of the attack chain prior to runtime. The malware also actively scanned for and disabled competing proxy tools installed on the user’s browser, ensuring it had exclusive control over the traffic flow.
To maintain its presence and evade browser security mechanisms, the malicious extension injected “keepalive” scripts into browser tabs. This helped prevent Chrome’s security features from unloading the malicious background worker processes. In parallel, it employed history tampering techniques, specifically using `history.replaceState()`, to erase forensic evidence of the redirection operations. This made it significantly more challenging for investigators to trace the malicious activity.
The extension also expertly manipulated proxy settings through remotely controlled PAC (Proxy Auto-Config) scripts. This allowed attackers to dynamically redirect victims to phishing pages or advertisement farms without the user’s knowledge or interaction. This dynamic control mechanism enabled post-installation behavior modifications, allowing the operators to alter the extension’s malicious functions even after it had been approved by the Chrome Web Store review process.
These findings underscore critical security weaknesses within the architecture of browser extensions. When granted broad permissions and subjected to insufficient runtime oversight, extensions can transform from ostensibly useful tools into covert surveillance platforms. Users who opt for free VPN services are exposed to substantial risks, as these operators possess the capability to intercept all internet traffic, harvest credentials, and initiate targeted follow-up attacks, all while maintaining complete remote control over the compromised browsers.
The ongoing evolution of these malicious browser extensions highlights the need for enhanced security measures and user education. As attackers develop increasingly sophisticated evasion techniques, browser vendors and security researchers face an ongoing challenge in identifying and mitigating such threats. Users are strongly advised to exercise extreme caution when installing free browser extensions, particularly those related to privacy and security, and to prioritize reputable, well-vetted services over free alternatives.