Malicious Chrome Add-On Steals Facebook, Instagram Ad Credentials

A new threat is hijacking marketers’ Facebook and Instagram sessions via a Chrome extension.

Security researchers discovered Madgicx Plus, a malicious Chrome extension disguised as an AI ad tool. It abuses excessive browser permissions to steal Meta login tokens and hijack business accounts.

Cybereason’s research team stated, “This reuse [of domains], combined with the technical sophistication of the extension, indicates the campaign is part of a broader, evolving effort to compromise advertiser accounts and harvest valuable business data.”

How the attack works  

According to Cybereason’s analysis, the extension is distributed through a network of deceptive websites — such as privacy-shield.world and madgicxads.world — designed to mimic legitimate analytics services.

Static and dynamic analysis reveal that the Madgicx Plus Chrome extension leverages an unusually broad set of permissions and stealthy network manipulations to steal credentials and maintain access. 

The extension’s manifest.json grants host_permissions for <all_urls> along with declarativeNetRequest and declarativeNetRequestWithHostAccess, letting it intercept and alter web requests across any domain. This setup allows it to inject scripts into every page, harvest form data, steal session cookies, and even tap into Meta’s internal APIs in real time.

At the core of the attack is the background.iife.js script. Once a victim logs in to Facebook or Instagram, the script listens for XHR responses from Facebook’s OAuth endpoints. 

When an authentication response appears, the script lifts the access_token from the JSON, saves it locally, and silently sends it to a C2 server at madgicx-plus[.]com, giving attackers ongoing account access without needing the password.

Evasion technique

To evade detection, the extension uses a Declarative Net Request rule to strip the Origin header from caller=ext requests, bypassing Meta’s same-origin checks and CSPs so stolen tokens can be reused in attacker sessions.

The extension’s network logic also integrates with a cluster of domains — such as privacy-shield.world and web-radar.world — which are hosted behind Cloudflare but ultimately trace back to infrastructure run by VDSina, a hosting provider previously linked to malicious resources.

Dynamic testing in a sandbox confirmed that the extension uses a staged approach to credential theft. After installation, it first prompts users to connect their Google account, caching sensitive data in local storage.

It next seeks Facebook authorization, using stolen tokens to impersonate users, alter ad budgets, launch fake campaigns, or transfer ownership — a sophisticated “adversary-in-the-browser” attack targeting Meta’s ad ecosystem.

The Madgicx Plus campaign poses rising risks for Meta advertisers, especially SMBs relying on unsecured browser tools, letting attackers hijack budgets, run rogue campaigns, and take over Business Manager accounts.

This campaign shows how malicious extensions are emerging as key tools for credential theft and session hijacking, mixing supply chain abuse with social engineering; as they proliferate, organizations must tighten security policies and train users to avoid unverified add-ons.

Essential Steps to Secure Ad Tools

• Audit installed browser extensions to identify potentially malicious add-ons.
• Remove unused or unverified tools to limit unnecessary risk.
• Restrict advertising activities to dedicated browser profiles for better isolation.
• Monitor Meta Business Manager for unusual billing charges or unauthorized ad activity that may signal compromised credentials.
• Implement extension allowlists in high-risk environments.
• Segment ad management workflows to minimize exposure across accounts and teams.

This incident underscores why securing your browser is as important as protecting any other business tool — extensions can become covert gateways to sensitive accounts.