Malicious Browser Extensions Hijacked Over 2.3 Million Devices — What Clinton County Residents Should Know

A recent investigation by Cybernews has revealed a widespread cybersecurity threat

impacting users of Google Chrome and Microsoft Edge. Known as Operation RedDirection, this campaign involved the silent corruption of 18 previously legitimate browser extensions, which were updated with malicious code designed to hijack user sessions, capture URLs, and exfiltrate browsing data to attacker-controlled servers. These extensions, once trusted tools for tasks like color picking or watching videos, turned into background spyware with command-and-control capabilities.

The following extensions were identified as part of this operation. For Chrome:

Google Chrome

• Emoji keyboard online – copy & paste your emoji

• Free Weather Forecast

• Video Speed Controller – Video Manager

• Unlock Discord – VPN Proxy to Unblock Discord Anywhere

• Dark Theme – Dark Reader for Chrome

• Volume Max – Ultimate Sound Booster

• Unblock TikTok – Seamless Access with One‑Click Proxy

• Unlock YouTube VPN

• Color Picker, Eyedropper – Geco colorpick

• Weather

Microsoft Edge

• Unlock TikTok

• Volume Booster – Increase your sound

• Web Sound Equalizer

• Header Value

• Flash Player – games emulator

• Youtube Unblocked

• SearchGPT – ChatGPT for Search Engine

• Unlock Discord

These malicious extensions appeared to function normally—offering features like volume boosting, weather forecasts, or VPN access—but were in fact collecting and transmitting private browsing data in the background. They tracked every URL visited and silently sent that data to attacker-controlled servers. In many cases, browser sessions were hijacked and users were redirected to phishing websites or prompted to download malicious software disguised as legitimate updates, such as a fake Zoom installer. These extensions also maintained persistent command-and-control capabilities, meaning the attackers could remotely change their behavior or redirect users to new malicious sites at any time without further input or updates.

Cybercriminals profit from this activity in multiple ways. Some extensions redirected users to specific search engines or affiliate-linked pages, earning fraudulent search revenue. Others injected unauthorized ads into websites the user visited, capturing ad impressions and clicks without consent. More seriously, some redirected users to counterfeit login pages for banks, email platforms, or other services to steal passwords and credentials. The browsing data harvested—such as visited sites, session history, and user tracking IDs—was likely compiled, packaged, and sold to third parties or on the dark web.

For Clinton County residents, the threat is especially concerning for remote workers, students, and small business owners who rely on web-based platforms. Individuals working from home or attending online classes could unknowingly have their data intercepted during sensitive activities like logging into online banking, accessing government benefit portals, or uploading school assignments. Small businesses and municipal users could accidentally leak login credentials for systems like payroll, email, or even emergency alert platforms. Shared devices within households, classrooms, or small offices further increase exposure, as one user's activity may compromise multiple accounts on the same browser or system.

Immediate action is recommended. Residents should check their browser extensions now. In Chrome, go to “More Tools” → “Extensions.” In Edge, navigate to “Settings” → “Extensions.” Remove any of the extensions listed above if present. Next, clear your browser’s history, cookies, and cached data to remove any lingering tracking elements or session tokens. Running a full antivirus or anti-malware scan is strongly advised to catch any residual infections. Trusted tools such as Windows Defender, Malwarebytes, or similar programs are sufficient. Users should also change any passwords used during the period the extensions were active, especially for banking, email, or work-related accounts. Enabling multi-factor authentication (MFA) adds an extra layer of protection. Finally, all users should monitor their accounts for suspicious logins or transactions.

Going forward, residents are urged to take extra care when installing browser extensions. Always review the permissions being requested—if an extension wants access to all data on all websites, that’s a red flag 🚩. Check the number of users and read reviews, but don’t be fooled by high ratings alone, as some of these extensions had glowing feedback before being corrupted. Confirm the developer’s credibility and look for a consistent update history. Only install from official browser stores, and even then, be wary of unfamiliar or overly broad tools. Regularly reviewing and cleaning out unused extensions should become part of routine digital hygiene.

In summary, these malicious extensions demonstrate how quickly trusted tools can become threats. Clinton County residents should act now to remove these risks, scan their systems, and strengthen their online defenses. Staying cautious and informed is the best defense against evolving cyber threats. The Clinton County EMA remains available to support community outreach and provide further guidance as needed.