Chrometana Chrome extension shipped malware

Chrometana was one of the legitimate Chrome extensions affected by the 2017 developer-account phishing spree. Attackers used stolen Chrome Web Store credentials to publish a malicious update through the official extension channel.

The affected release was Chrometana 1.1.3. Users did not install a fake extension; Chrome's automatic update path delivered a new build from the real listing after the developer account had been taken over.

Proofpoint grouped Chrometana with the broader campaign that loaded attacker JavaScript from shared infrastructure, injected ads, redirected traffic, and in some paths collected credentials. The extension name was different, but the delivery shape matched the other hijacked listings.

This leaf record preserves the extension-specific version and Chrome Web Store boundary. The campaign record carries the shared phishing domains, redirect infrastructure, and cross-extension behavior.

Motive

Financial Gain

Attribution

Group

Cause

Phishing

Transitive

No

Actor

Cybercriminal

User Impact

1500000

• domainclick.rdr11.top
• domainchromedevelopment.site
• domainlogin.chromeextensions.info
• domainchromeextensions.info
• domainwd7bdb20e4d622f6569f3e8503138c859d.win
• domainsearchtab.win
• domainredirect2.top
• domainbrowser-updates.info
• domainpartner-net.men
• urlhttp://partner-net[.]men/code/pid/973820_BNX.js?rev=133

• Chrome extension developers under a barrage of phishing attacksbleepingcomputer.com
• Chrome extension developers under attacka9t9.com
• Threat actor goes on a Chrome extension hijacking spreeproofpoint.com
• Keeping our users safeblog.cloudflare.com
• Eight Chrome Extensions Hijacked to Deliver Malicious Code to 4.8 Million Usersbleepingcomputer.com