Popular browser extensions have historically been perceived as benign, utilitarian artifacts—innocuous implements such as color droppers, ad-blockers, or audio amplifiers. However, security analysts from 7AI have exposed a sophisticated, expansive syndicate of Chrome and Edge extensions that successfully transformed these modest utilities into a formidable platform engineered for the clandestine execution of malicious JavaScript directly within the user’s browsing context.
This structural threat cluster has been designated Phoenix Invicta. Initially unmasked by software researcher Wladimir Palant in January 2025, a contemporary forensic investigation reveals that the network’s operational scale and inherent hazard are vastly more profound than early telemetry suggested. Investigators isolated approximately sixty domains intrinsically tied to the infrastructure, verified twenty-two compromised extensions, and established that the operators are actively iterating and expanding their architecture.
The inquiry originated with an unassuming asset named MyColorPick, crafted for color palette selection. Post-installation, analysts observed that the browser initiated the unauthorized ingestion of an external file, redirect_checker.js, across every navigated webpage. The payload was injected not by the web hosts, but natively by the extension itself. Subsequent decompilation revealed that these extensions ingest instructions from remote command nodes, empowering them to execute arbitrary JavaScript within the logical perimeter of visited domains.
The defining achievement of this malware architecture is its systematic evasion of Manifest V3—Google Chrome’s contemporary security paradigm engineered explicitly to prohibit extensions from executing remotely hosted code blocks. Phoenix Invicta formulated a definitive bypass: the extensions demand broad privileges to read and alter data across all websites, systematically strip away Content Security Policy (CSP) headers from inbound traffic, and subsequently inject a bespoke <script> tag into the DOM to fetch instructions from the operator’s infrastructure. Consequently, the browser blindly processes the malicious payload as an inherent component of the legitimate webpage.
Analysts verified the existence of an operational, full-duplex remote control pipeline. The implants transmitted structured telemetry—encompassing navigated URLs, installation tokens, extension identifiers, and the user’s geolocation—to a centralized collection node at statsdata.online. In reciprocal fashion, the server dispatched JavaScript payloads that executed instantaneously upon arrival. The authors of the brief emphasize that this framework transcends elementary advertising fraud, possessing the versatility to deploy arbitrary attack vectors, ranging from credential harvesting to the interception of active online banking sessions and enterprise access tokens.
The underlying infrastructure functions with the logistical precision of a commercial enterprise product, incorporating installation tracking mechanisms, behavioral user telemetry, and a proprietary continuous integration deployment pipeline. A newly engineered malicious module, m3011.js, represents a complete architectural rewrite of their legacy codebase, introducing optimized compatibility for Google, Bing, and Yahoo. This script dynamically manipulates search engine results pages, meticulously cloning the visual design language of authentic search listings down to precise typography, color palettes, and dark mode variables.
Parallel focus was directed toward the transport layer mechanics. A multi-use domain, lottingem.com, functioned simultaneously as a data exfiltration gateway and a payload distribution vector. Telemetry concerning user navigation histories and request headers was transmitted in cleartext directly within the query parameters of the outbound URL request, while the malicious JavaScript arrived encapsulated within the response body. This operational methodology ensures that even if enterprise proxies block the downstream payload response, the upstream data exfiltration has already reached the adversaries.
Select iterations of the implant code blocks were found to harbor functional sub-routines engineered to harvest the explicit names and email addresses associated with the host’s Google Chrome profiles. This personal identity data was linked to a persistent browser GUID, empowering the operators to assemble granular, longitudinal intelligence dossiers on specific individuals.
The catalog of compromised extensions spans diverse utility domains, encompassing screenshot captures, ad-blocking filters, dark mode emulators, and volume boosters. While a subset of these extensions has been summarily purged from the Chrome Web Store and the Microsoft Edge Add-ons repository, previously installed instances persist in an active state until systems administrators manually enforce eradication via enterprise group policies.
The authors of the treatise conclude that the Phoenix Invicta campaign is actively adapting. They identified an array of recently registered, dormant domains that strongly imply the impending deployment of a nascent generation of malicious extensions, specifically masquerading as custom cursor customizers and counterfeit “data privacy” utilities.
