Threat actors are employing new ways to steal and monetize data in a recent malvertising campaign. In the live campaign, named Dormant Colors, hackers are distributing malicious data-collecting browser extensions with millions of active installations worldwide.

What’s happening?

According to a Guardio report, Dormant Colors consists of 30 different extensions for both Chrome and Edge, as of mid-October.
  • These extensions offer color customization options on web pages and are delivered to the victim's machine with no malicious code to evade detection.
  • When users visit web pages, the advertisements or redirects offer a video or download that further redirects users to another site. This site prompts users to install an innocuous-looking color-changing extension.
  • The extensions can perform several malicious tasks such as searching/browsing histories hijacking, affiliations hijacking, malicious advertisement insertion within visited pages, and side-loading malicious scripts.

Websites under target

Threat actors are targeting different sites such as AliExpress, Amazon, and adult sites. For this, they practice different scams, such as redirection to the affiliation service page, an advertisement, or any other page chosen by the attackers. 

How is it harmful to users?

  • The researchers claim that these extensions contain stealth modules for code updating and telemetry collection and a backbone of servers harvesting data from millions of PCs.
  • These can classify potential targets and are capable of targeting specific users with various kinds of social engineering attack vectors.
  • The attackers can redirect victims to phishing pages to steal credentials for Microsoft 365, Google Workspace, bank sites, or social media platforms.


There are several malicious extensions with the same capabilities and infrastructure deployed to millions of devices worldwide. Some of these are flagged already as potentially harmful in the past yet many variants are still up and running. Moreover, threat actors are shifting domains, generating new extensions, and re-inventing functions. Experts suggest avoiding such unnecessary extensions and remaining skeptical anytime a webpage forces them to download anything to view its content.
Cyware Publisher