Malicious Chrome VPN Extensions Installed 1.5 Million Times


A recent cybersecurity threat has come to light, involving malicious VPN extensions for Chrome and Edge that have been installed over 1.5 million times. These fake VPN extensions, named “netPlus” for Chrome and “netSave/netWin” for Edge, pose as legitimate VPN services but contain harmful code designed to steal sensitive user data.

The malicious extensions were first discovered by ReasonLabs, a cybersecurity firm, who noted that they were primarily spread through pirated game torrents featuring popular titles such as GTA and Assassin’s Creed. Once installed, the extensions would automatically take over the user’s browser without requiring any additional input. They could then record keystrokes, capture screenshots, and steal sensitive data such as passwords and financial information.


ReasonLabs notified Google of their findings, and the company promptly removed the offending extensions from the Chrome Web Store. However, due to the large number of downloads, many users remain affected by the malware.

Source: chrome-stats

Interestingly, researchers have also identified another issue related to Chrome VPN extensions that may compromise user privacy. Even legitimate VPN extensions can potentially leak DNS data, allowing third parties to monitor a user’s internet activity. Although this issue differs from the one posed by the fake VPN extensions mentioned earlier, it highlights the importance of ensuring that all VPN extensions are properly configured and up-to-date.

Furthermore, these extensions communicate with command-and-control (C2) servers, revealing a disconcerting link to Russian domains. Users are at risk of identity theft and other cybercrimes due to this cyber assault. Such attacks compromise user privacy, manipulate browsing activity for financial gain, and expose them to heightened risks of identity theft.

A closer look reveals that the attack campaign targeted Russian-speaking users, circumventing browser security measures using advanced techniques. Google swiftly removed all identified extensions from the Chrome Web Store, underscoring how platforms play an essential role in protecting users.

Stay Safe

To protect yourself from these types of threats, it’s essential to exercise caution when downloading and installing browser extensions. Only download extensions from trusted sources, such as the official Chrome Web Store, and always check the reviews and ratings before installing. Additionally, consider using a reputable antivirus program that includes real-time protection against malware and phishing attacks.

If you suspect your computer may be infected with malware, running a full system scan using a reliable antivirus program is important. You should also reset your browser settings and clear your cache and cookies to ensure that any lingering traces of the malware are eliminated.

Overall, while VPN extensions can provide valuable benefits such as enhanced privacy and security, it’s crucial to approach them with caution and vigilance. Always double-check suspicious links or downloads, keep your software up-to-date, and regularly scan your system for signs of infection.