By rssfeeds-admin 
The extensions have collectively reached over 2,300 users and employ complementary attack mechanisms to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking.
Coordinated Malware Portfolio
Four extensions operate under the publisher name databycloud1104, while the fifth uses different branding (softwareaccess) but shares identical infrastructure patterns.
The extensions masquerade as productivity tools promising streamlined access to enterprise platforms and multi-account management.
All five request standard permissions that appear legitimate during installation, with privacy policies falsely claiming no data collection despite implementing comprehensive credential theft mechanisms.
The extensions demonstrate sophisticated development with version progression showing active maintenance.
Data By Cloud 2 (v3.3) has the most extensive distribution, with 1,000 users, and blocks 56 administrative pages, 27% more than Tool Access 11 (v1.4).
Data By Cloud 1 (v3.2) adds anti-debugging capabilities, while Software Access (v1.4) implements bidirectional cookie manipulation for direct session hijacking.
The campaign deploys three distinct attack types working in concert. Cookie exfiltration extensions extract session authentication tokens and transmit them to remote servers every 60 seconds via encrypted command-and-control channels.
The extensions implement persistent monitoring via cookie change listeners and alarms that verify the login state, ensuring that threat actors maintain current credentials even as users reauthenticate during everyday workflows.
DOM manipulation extensions block access to administrative interfaces by erasing page content and redirecting to malformed URLs.
Tool Access 11 targets 44 pages, including authentication management, security policy configuration, and session controls.
Data By Cloud 2 expands this to 56 pages by adding password changes, account deactivation, 2FA device management, and security audit log access.
The extensions use MutationObservers to monitor page content every 50 milliseconds, ensuring continuous blocking even in single-page applications.
Software Access implements the most sophisticated attack through bidirectional cookie manipulation.
The extension both exfiltrates authentication tokens and receives stolen cookies from its command-and-control server, then injects them into the browser using chrome.cookies.set() to enable direct session hijacking.
This eliminates authentication requirements, allowing threat actors to access compromised accounts without passwords while bypassing multi-factor authentication.
The extensions include identical lists of 23 security-focused Chrome extensions they monitor for presence, including EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox.
The chrome. The management API enumerates installed extensions and reports findings to command-and-control servers, allowing threat actors to assess whether security tools might interfere with credential theft.
Data By Cloud 1 and Software Access incorporate the DisableDevtool library to prevent code inspection through browser developer tools.
The library detects modifications to RegExp. prototype. toString (), property inspection, window size comparisons, and performance timing analysis to identify debugging attempts.
Software Access adds password field protection that prevents users from changing input types to inspect credential values, reverting any such attempts within one second.
The coordinated deployment creates a persistent account compromise that survives standard incident response procedures.
Security teams can detect unauthorized access through SIEM alerts or authentication anomalies, but every standard remediation action is blocked.
Organizations face containment failure scenarios where administrators cannot rotate credentials, deactivate accounts, remove trusted devices, or modify security policies because the extensions intercept and block these functions.
The campaign targets Workday’s sandbox environment (workdaysuv.com) explicitly, which is used for testing security configuration changes before production deployment.
By blocking security pages in the sandbox, the extensions prevent validation of password policy changes, authentication updates, or other security improvements, forcing organizations to either deploy untested changes directly to production or abandon security improvements entirely.
Users should immediately remove matching extensions, review authentication history for unexpected access, and perform password resets from clean systems.
Chrome sync settings must be turned off on all devices before removal to prevent reinstallation.
Security teams should implement Chrome Enterprise extension allowlists to prevent unauthorized installations and block identified command-and-control domains via web proxy or DNS filtering.
Authentication logs require auditing for simultaneous sessions from multiple IPs or geographically inconsistent access patterns.
Security teams from Socket are validated policy deployment status across endpoints, as restrictions on browser extensions can interfere with administrative configuration workflows, as outlined in browser security policy management documentation.
Indicators of Compromise
| Indicator Type | Value | Notes |
| Publisher Name | databycloud1104 | Registered for four extensions |
| Publisher Email | admin@databycloud.com | Associated with databycloud1104 |
| Publisher Name | softwareaccess | Registered for one extension |
| Publisher Email | softwareaccess0908@gmail.com | Associated with softwareaccess |
| Extension ID | oldhjammhkghhahhhdcifmmlefibciph | DataByCloud Access v1.6 |
| Extension ID | ijapakghdgckgblfgjobhcfglebbkebf | Tool Access 11 v1.4 |
| Extension ID | makdmacamkifdldldlelollkkjnoiedg | Data By Cloud 2 v3.3 |
| Extension ID | mbjjeombjeklkbndcjgmfcdhfbjngcam | Data By Cloud 1 v3.2 |
| Extension ID | bmodapcihjhklpogdpblefpepjolaoij | Software Access v1.4 |
| C2 Domain | api.databycloud.com | Cookie exfiltration endpoint |
| C2 Path | /api/v1/mv3 | MV3 manifest version indicator |
| C2 Domain | api.software-access.com | Bidirectional C2 infrastructure |
| WebSocket | wss://api.software-access.com | Real-time communication |
| Target Cookie | __session | Authentication token name |
| Blocked Domain | workdaysuv.com | Workday sandbox environment |
The campaign maps to MITRE ATT&CK techniques T1539 (Steal Web Session Cookie), T1185 (Browser Session Hijacking), T1176.001 (Browser Extensions), T1027 (Obfuscated Files or Information), and T1562.001 (Disable or Modify Tools).
| Technique ID | Technique Name |
|---|---|
| T1539 | Steal Web Session Cookie |
| T1185 | Browser Session Hijacking |
| T1176.001 | Browser Extensions |
| T1027 | Obfuscated Files or Information |
| T1562.001 | Disable or Modify Tools |
All five extensions remain under investigation with takedown requests submitted to Google’s Chrome Web Store security team.
Similar patterns targeting other enterprise platforms should be anticipated as the threat actor maintains disposable infrastructure and complementary capabilities across multiple publisher identities.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Five Malicious Chrome Extensions Target Enterprise HR and ERP Platforms for Full Account Takeover appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.