Browser Extensions Hijack 1M Browsers for Scraping Bots

Cisco Talos researchers have uncovered a coordinated campaign that weaponized four Chrome and Edge extensions—PDF Merger, WebScrap, FastFill, and ReadableView—collectively installed on nearly one million devices. The add‑ons, advertised as productivity tools, were removed from the Chrome Web Store and Microsoft Edge Add‑ons marketplace after Talos notified Google and Microsoft in early March 2025. The extensions turned infected browsers into covert website‑scraping bots, silently harvesting login credentials, session tokens, and personal data on a massive scale.

The malicious behavior relied on a stealth Windows WebView2 window hidden from the user’s taskbar and screen. By invoking the WebView2 control with a zero‑size viewport, the extensions loaded target sites through a CORS‑proxy hosted on an attacker‑controlled domain, bypassing same‑origin restrictions. Each scraped page was then compressed with gzip, encrypted with AES‑256 in GCM mode, and exfiltrated to a command‑and‑control (C2) server using a JSON‑encoded payload delivered over HTTPS. The C2 instructions, fetched every few minutes, told the extension which URLs to fetch, which form fields to capture, and how often to report back, effectively turning the browser into an autonomous scraping botnet.

The harvested data included over 200 GB of HTML, cookies, and form data per day, which the threat actors used for credential stuffing, account takeover, and resale on dark‑web marketplaces. The campaign’s scale and stealth allowed it to operate undetected for weeks, despite the extensions requesting only innocuous permissions such as "read your browsing history." Endpoint telemetry revealed anomalous outbound traffic on ports 443 and 8080, with recurring HTTPS POST requests to a handful of suspicious domains that were not linked to any legitimate service.

The incident underscores the supply‑chain risk inherent in browser extensions and the privacy implications of granting broad permissions to third‑party code. Security teams should audit installed extensions against the principle of least privilege, monitor for unusual outbound HTTPS traffic patterns, and enforce the newer Extension Manifest V3 (MV3) restrictions where possible. Organizations can also deploy endpoint detection and response (EDR) rules that flag WebView2 initialization from non‑standard processes and detect the use of hidden windows. Prompt removal of the malicious extensions and rotation of potentially compromised credentials remain the most immediate remediation steps.