Description
Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects of internet browsers. They can be installed directly via a local file or custom URL or through a browser's app store - an official online platform where users can browse, install, and manage extensions for a specific web browser. Extensions generally inherit the web browser's permissions previously granted.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition) Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores, so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension's update url to install updates from an adversary-controlled server or manipulate the mobile configuration file to silently install additional extensions.
Adversaries may abuse how chromium-based browsers load extensions by modifying or replacing the Preferences and/or Secure Preferences files to silently install malicious extensions. When the browser is not running, adversaries can alter these files, ensuring the extension is loaded, granted desired permissions, and will persist in browser sessions. This method does not require user consent and extensions are silently loaded in the background from disk or from the browser's trusted store.(Citation: Pulsedive)
Previous to macOS 11, adversaries could silently install browser extensions via the command line using the profiles tool to install malicious .mobileconfig files. In macOS 11+, the use of the profiles tool can no longer install configuration profiles; however, .mobileconfig files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)
Once the extension is installed, it can browse to websites in the background, steal all information that a user enters into a browser (including credentials), and be used as an installer for a RAT for persistence.(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension)
There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions for Command and Control.(Citation: Stantinko Botnet)(Citation: Chrome Extension C2 Malware) Adversaries may also use browser extensions to modify browser permissions and components, privacy settings, and other security controls for Stealth.(Citation: Browers FriarFox)(Citation: Browser Adrozek)
Platforms
Mitigations (5)
Limit Software InstallationM1033
Only install browser extensions from trusted sources that can be verified. Browser extensions for some browsers can be controlled through Group Policy. Change settings to prevent the browser from installing extensions without sufficient permissions.
AuditM1047
Ensure extensions that are installed are the intended ones, as many malicious extensions will masquerade as legitimate ones.
Update SoftwareM1051
Ensure operating systems and browsers are using the most current version.
User TrainingM1017
Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.
Execution PreventionM1038
Set a browser extension allow or deny list as appropriate for your security policy.(Citation: Technospot Chrome Extensions GP)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used Google Chrome browser extensions to infect victims and to steal passwords and cookies.(Citat... |
Associated Software (6)
| ID | Name | Type | Context |
|---|---|---|---|
| S1122 | Mispadu | Malware | [Mispadu](https://attack.mitre.org/software/S1122) utilizes malicious Google Chrome browser extensions to steal financial data.(Citation: ESET Securit... |
| S0402 | OSX/Shlayer | Malware | [OSX/Shlayer](https://attack.mitre.org/software/S0402) can install malicious Safari browser extensions to serve ads.(Citation: Intego Shlayer Apr 2018... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has installed a malicious browser extension to target Google Chrome, Microsoft Edge, Opera an... |
| S1201 | TRANSLATEXT | Malware | [TRANSLATEXT](https://attack.mitre.org/software/S1201) has the ability to capture credentials, cookies, browser screenshots, etc. and to exfiltrate da... |
| S0531 | Grandoreiro | Malware | [Grandoreiro](https://attack.mitre.org/software/S0531) can use malicious browser extensions to steal cookies and other user information.(Citation: IBM... |
| S0482 | Bundlore | Malware | [Bundlore](https://attack.mitre.org/software/S0482) can install malicious browser extensions that are used to hijack user searches.(Citation: MacKeepe... |
References
- Pulsedive Threat Research. (2025, March 21). Rilide - An Information Stealing Browser Extension. Retrieved September 22, 2025.
- Brinkmann, M. (2017, September 19). First Chrome extension with JavaScript Crypto Miner detected. Retrieved November 16, 2017.
- Chris Ross. (2019, February 8). No Place Like Chrome. Retrieved April 27, 2021.
- Chrome. (n.d.). What are Extensions?. Retrieved November 16, 2017.
- De Tore, M., Warner, J. (2018, January 15). MALICIOUS CHROME EXTENSIONS ENABLE CRIMINALS TO IMPACT OVER HALF A MILLION USERS AND GLOBAL BUSINESSES. Retrieved January 17, 2018.
- Jagpal, N., et al. (2015, August). Trends and Lessons from Three Years Fighting Malicious Extensions. Retrieved November 17, 2017.
- Kjaer, M. (2016, July 18). Malware in the browser: how you might get hacked by a Chrome extension. Retrieved September 12, 2024.
- Marinho, R. (n.d.). "Catch-All" Google Chrome Malicious Extension Steals All Posted Data. Retrieved November 16, 2017.
- Marinho, R. (n.d.). (Banker(GoogleChromeExtension)).targeting. Retrieved November 18, 2017.
- Microsoft Threat Intelligence. (2020, December 10). Widespread malware campaign seeks to silently inject ads into search results, affects multiple browsers. Retrieved February 26, 2024.
Frequently Asked Questions
What is T1176.001 (Browser Extensions)?
T1176.001 is a MITRE ATT&CK technique named 'Browser Extensions'. It belongs to the Persistence tactic(s). Adversaries may abuse internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality to and customize aspects...
How can T1176.001 be detected?
Detection of T1176.001 (Browser Extensions) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1176.001?
There are 5 documented mitigations for T1176.001. Key mitigations include: Limit Software Installation, Audit, Update Software, User Training, Execution Prevention.
Which threat groups use T1176.001?
Known threat groups using T1176.001 include: Kimsuky.