A new phishing campaign is doing something more dangerous than stealing passwords: it hijacks the browser sessions you are already logged into. According to the original research from Malwarebytes, a booby-trapped email attachment installs a malicious Chrome extension that lifts your authenticated session cookies, allowing attackers to walk straight into accounts that are already signed in, sidestepping multi-factor authentication entirely.
The clever part is not the lure. It is how the malware quietly abuses legitimate browser and Windows features to run code on your machine while looking like normal, expected activity.
What happened
The attack arrives as an email with an attachment that looks like an invoice in PDF form. The file is named to display as a PDF, but its real extension is .pfd.js, an obfuscated JavaScript file rather than a document. When opened, it drops additional files into the Windows temporary folder and kicks off the infection chain, which Malwarebytes ties to a Windows backdoor.
From there, a PowerShell script stages a Chrome extension and quietly changes Chrome policy settings so the extension can be installed. By abusing Chrome enterprise policy, the malware makes the install look like an administrator-managed deployment rather than something the user clicked through, helping it slip past suspicion.
How the attack works
Once active, the extension and a companion native program harvest browser cookies, open tabs, visited URLs, language settings, and device fingerprinting data. The operators also use the setup as a remote command channel, issuing instructions that can launch PowerShell and enumerate the contents of the C: drive.
The standout technique is the abuse of Chrome Native Messaging as a bridge out of the browser sandbox and into the operating system. Chrome legitimately lets extensions talk to a registered native host program on the machine. Here, the attackers weaponized that feature: the extension never launches PowerShell itself. Instead, it sends messages to the native host, which then launches or interacts with PowerShell on the host. That indirection keeps the malicious browser component looking benign while the real execution happens outside the sandbox.
Because the stolen cookies represent already-authenticated sessions, the attackers can ride those live sessions instead of cracking credentials. That means they reach accounts that are already logged in on the victim's browser, and the MFA prompt never fires, because from the service's point of view the user is still signed in.
What you should do
The first defense is to avoid opening attachments unless you can verify the sender. Beyond that, Malwarebytes recommends:
- Check the real file extension rather than trusting the displayed filename, so a fake .pdf that is actually a .js script is caught.
- Audit your installed Chrome extensions and remove anything you do not recognize or no longer use.
- Sign out of important accounts when you finish. Signing out invalidates the session, so a stolen cookie becomes useless to the attacker.
- Review login history on important accounts, since many services show which devices signed in, when, and from where.
- Keep an up-to-date, real-time anti-malware tool running to block the activity.
This campaign sits alongside a wave of browser-centric attacks we have covered, including a malicious browser extension that hijacks Windows PCs and a Chrome-targeting stealer built to bypass browser protections. The common thread is clear: the browser, not just the password, is now the prize.
Indicators of compromise
- Attachment: Fattura-2819889242.pfd.js (displayed as Fattura-26189991026.pdf)
- Malicious files: client_124578.exe, d3d11.dll
- Chrome extension: Cloud vn105rkj64, ID gghagmhimhgfeajfdmjkgmmehbokmglg
- Domain: ext2[.]info
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.