1. Home
  2. Techniques
  3. Enterprise
  4. Software Extensions
  5. Browser Extensions

Software Extensions: Browser Extensions

ID Name
T1176.001 Browser Extensions
T1176.002 IDE Extensions

Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.[1][2]

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.[3] Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.

Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences and/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries can alter these files, ensuring the extension is loaded, granted desired permissions, and will persist in browser sessions. This method does not require user consent and extensions are silently loaded in the background from disk or from the browser's trusted store.[4]

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.[5]

Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.[6][7][8][9]

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.[10][11] Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Defense Evasion.[12][13]

ID: T1176.001
Sub-technique of:  T1176
Tactic: Persistence
Platforms: Linux, Windows, macOS
Contributors: Gordon Long, LegioX/Zoom, asaurusrex
Version: 1.1
Created: 30 March 2025
Last Modified: 22 September 2025
Version Permalink

Procedure Examples

ID Name Description
S0482 Bundlore

Bundlore can install malicious browser extensions that are used to hijack user searches.[14]
S0531 Grandoreiro

Grandoreiro can use malicious browser extensions to steal cookies and other user information.[15]
G0094 Kimsuky

Kimsuky has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.[16][17]
S1213 Lumma Stealer

Lumma Stealer has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera and Brave browsers for the purpose of stealing data.[18]
S1122 Mispadu

Mispadu utilizes malicious Google Chrome browser extensions to steal financial data.[19]
S0402 OSX/Shlayer

OSX/Shlayer can install malicious Safari browser extensions to serve ads.[20][21]
S1201 TRANSLATEXT

TRANSLATEXT has the ability to capture credentials, cookies, browser screenshots, etc. and to exfiltrate data.[22]

Mitigations

ID Mitigation Description
M1047 Audit

Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones.
M1038 Execution Prevention

Set a browser extension allow or deny list as appropriate for your security policy.[23]
M1033 Limit Software Installation

Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.
M1051 Update Software

Ensure operating systems and browsers are using the most current version.

M1017 User Training

Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0044 Detecting Malicious Browser Extensions Across Platforms AN0123

Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.
AN0124

Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.
AN0125

Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.

References

  1. Wikipedia. (2017, October 8). Browser Extension. Retrieved January 11, 2018.
  2. Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.
  3. Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.
  4. Pulsedive Threat Research. (2025, March 21). Rilide - An Information Stealing Browser Extension. Retrieved September 22, 2025.
  5. Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.
  6. Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.
  7. De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
  8. Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.
  9. Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.
  10. Vachon, F., Faou, M. (2017, July 20). Stantinko: A massive adware campaign operating covertly since 2012. Retrieved November 16, 2017.
  11. Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024.
  12. Raggi, Michael. Proofpoint Threat Research Team. (2021, February 25). TA413 Leverages New FriarFox Browser Extension to Target the Gmail Accounts of Global Tibetan Organizations. Retrieved November 17, 2024.
  1. Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.
  2. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  3. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
  4. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.
  5. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  6. Cybereaon Security Services Team. (n.d.). Your Data Is Under New Lummanagement: The Rise of LummaStealer. Retrieved March 22, 2025.
  7. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  8. Vrijenhoek, Jay. (2018, April 24). New OSX/Shlayer Malware Variant Found Using a Dirty New Trick. Retrieved September 6, 2019.
  9. Reed, Thomas. (2018, April 24). New Crossrider variant installs configuration profiles on Macs. Retrieved September 6, 2019.
  10. Park, S. (2024, June 27). Kimsuky deploys TRANSLATEXT to target South Korean academia. Retrieved October 14, 2024.
  11. Mohta, A. (n.d.). Block Chrome Extensions using Google Chrome Group Policy Settings. Retrieved January 10, 2018.