Malicious Chrome Extensions Target Enterprise HR Platforms for Credential Theft
January 29th, 2026
High
Our Cyber Threat Intelligence Unit is monitoring a newly disclosed threat involving five malicious Google Chrome extensions that are being abused to hijack enterprise HR and ERP systems. This activity targets corporate environments by exploiting browser-based trust rather than traditional malware delivery methods. The malicious extensions appear as legitimate productivity or utility tools and are installed either through social engineering, phishing links, or abuse of Chrome’s extension ecosystem. This campaign highlights the growing risk posed by browser extensions as an attack vector in enterprise environments, and underscores the need for strict extension governance and continuous monitoring.
Technical Details
Threat Name: Credential theft and session hijacking via malicious browser extensions.
Severity: High
Component Affected: Google Chrome browser and integrated extensions on endpoints used to access enterprise HR and ERP services.
Delivery Method: Deployment of malicious Chrome extensions masquerading as legitimate productivity tools for enterprise platforms via the official Chrome Web Store and third-party download sites.
Malicious Behavior:
Exfiltrates session cookies to attacker-controlled servers (e.g., api.databycloud[.]com, api.software-access[.]com) every ~60 seconds.
Performs DOM manipulation to block access to security and admin pages (e.g., 2FA configuration, password resets, session logs) on Workday and similar platforms.
Injects stolen cookies into browser sessions to enable takeover without passwords or MFA tokens.
Primary Capability: Credential harvesting, session hijacking, unauthorized web application access
Targeted Sector: Enterprise organizations using cloud-based HR and ERP platforms (cross-industry)
Impact
Browser-Based Account Takeover: Malicious Chrome extensions hijack active browser sessions, allowing attackers to access HR and ERP systems without triggering MFA.
Credential & Session Token Theft: Extensions harvest usernames, passwords, cookies, and authentication tokens, leading to unauthorized access to sensitive enterprise applications.
Bypass of Endpoint Security Controls: Operating entirely within the browser enables the threat to evade traditional endpoint detection and antivirus solutions.
Persistent Unauthorized Access: Extensions maintain persistence through browser startup and auto-updates, allowing long-term covert access to enterprise systems.
Enterprise Data Exposure: Compromise of HR and ERP platforms can result in leakage of employee PII, payroll data, financial records, and business-critical information.
Detection Method
Browser Extension Inventory Monitoring: Continuously audit installed Chrome extensions across endpoints and flag newly added or unapproved extensions, especially those not sourced from the official Chrome Web Store.
Excessive Permission Detection: Identify extensions requesting high-risk permissions such as “Read and change all your data on all websites”, access to cookies, or clipboard monitoring.
HR/ERP Session Anomaly Monitoring: Monitor HR and ERP application logs for abnormal session behavior, such as access from unexpected devices, browsers, or geolocations using valid credentials.
Network Traffic Analysis: Inspect outbound HTTPS traffic from browsers for connections to unknown or low-reputation domains associated with extension update or data exfiltration activity.
Browser Script Injection Alerts: Detect unauthorized JavaScript injection or DOM manipulation events within enterprise web applications.
MFA Bypass Indicators: Correlate successful logins to HR/ERP systems without corresponding MFA challenges, especially following extension installations.
Endpoint Telemetry Correlation: Monitor browser startup behaviors, extension auto-reloads, and persistence mechanisms indicative of malicious extension activity.
User Behavior Analytics (UBA): Flag deviations in user access patterns, such as unusual HR/ERP actions, bulk data access, or actions outside normal business hours.
Indicators of Compromise
Type | Indicator |
Domain | api[.]databycloud[.]com |
Domain | api[.]software-access.com |
Domain | api[.]software-access[.]com/api/v1/mv3 |
Domain | wss://api[.]software-access[.]com |
Domain | user[.]software-access[.]com |
Domain | admin[.]software-access[.]com |
Recommendations
For Users:
Remove any extensions matching the names or IDs in the indicators section, especially those requesting cookie permissions for Workday, NetSuite, or SuccessFactors.
Review authentication history for unexpected access from unfamiliar IPs, devices, or locations during the period extensions were installed.
Perform password resets from a clean system after removing extensions. Resetting from an infected browser results in immediate token theft.
Check Chrome sync settings. If extensions synced across devices, remove from all systems before re-enabling sync.
Report extension presence to your security team for credential compromise assessment.
For Security Teams:
Implement Chrome Enterprise extension allowlists to prevent installation of unauthorized extensions.
Block command and control domains api[.]databycloud[.]com and api[.]software-access[.]com via web proxy or DNS filtering.
Audit authentication logs in Workday, NetSuite, and SuccessFactors for simultaneous sessions from multiple IPs or geographically inconsistent access patterns.
Force password resets from clean systems for any accounts where these extensions were detected.
Review trusted device registrations and remove unrecognized devices that may have been registered using stolen sessions.
Validate that security policy changes were successfully deployed, as blocking extensions may have prevented administrators from completing configuration updates.
Monitor for additional extensions from databycloud1104 or targeting the same enterprise platforms with similar permission requests.
Conclusion
The abuse of malicious Chrome extensions to hijack enterprise HR and ERP systems represents a high-impact, stealthy threat that leverages trusted browser functionality rather than traditional malware. By operating within authenticated browser sessions, these extensions bypass endpoint defenses and MFA controls, enabling unauthorized access to sensitive enterprise applications and data. The threat underscores the growing risk of browser-based attack vectors in modern SaaS-driven environments. Strong extension governance, continuous monitoring, and strict access controls are essential to mitigate this risk and prevent long-term, covert compromise of critical business systems.