Fake Google Docs Offline Extension
The fake Google Docs Offline extension is a malicious browser add-on designed to appear as a legitimate tool. Disguised as a trusted Google service, it is actually part of a broader cyberattack campaign known as GlassWorm. This extension is not installed by the user directly; instead, it is silently injected into the browser by pre-existing malware through a malicious script. Once present, it blends in with legitimate extensions, making detection difficult.
Table of Contents
Silent Infiltration Through Chain Attacks
This threat spreads through a sophisticated chain attack that leverages compromised platforms such as GitHub repositories, npm packages, and browser extension stores. The cybercriminals behind GlassWorm embed harmful code within seemingly legitimate software projects or updates, making them appear safe.
When users install or update infected software, the hidden code activates in the background and injects the fake extension into the browser. In some cases, the malware is delivered through deceptive update mechanisms that closely resemble official processes, further increasing the likelihood of successful infection.
Full Browser Surveillance and Data Harvesting
Once installed, the fake extension operates as a remote administration Trojan (RAT), granting attackers extensive control over browser activity. It is capable of collecting a wide range of sensitive information, including:
- Keystrokes, including login credentials and form inputs
- Cookies and active session data from websites
- Full code of active browser tabs
- Screenshots of open pages
- Clipboard contents and saved bookmarks
- Browsing history (up to 5000 entries)
- Device and browser details, including hardware and GPU/WebGL data
- Information about installed browser extensions
All collected data is bundled and transmitted to cybercriminals, often without any visible signs to the victim.
Serious Consequences for Personal and Corporate Security
The level of access granted by this malicious extension puts a wide range of sensitive data at risk. Private emails, messages, documents, and other personal information can be exposed. Financial activity is particularly vulnerable, including online banking sessions, payment details, and cryptocurrency accounts accessed through the browser.
Attackers can exploit this data to hijack accounts, steal funds, impersonate users, and carry out further malicious operations. When installed on a work device, the impact can escalate into a full-scale corporate security breach, potentially compromising internal systems and confidential business data.
Abuse of Browser Management Controls
In addition to its spying capabilities, the extension manipulates the browser's 'Managed by your organization' feature. Under normal circumstances, this setting indicates that a browser is controlled by an official administrator, such as within a corporate environment.
By abusing this feature, the malware can restrict user control, prevent standard removal methods, and limit access to browser settings. This tactic helps the malicious extension maintain persistence and remain undetected for extended periods.
A Persistent and High-Risk Threat
The fake Google Docs Offline extension represents a serious cybersecurity risk due to its ability to disguise itself, monitor user activity, and steal highly sensitive data. Its stealthy installation methods and persistence mechanisms make it particularly dangerous.
If detected, the extension and any related malicious components must be removed immediately to prevent ongoing data theft and potential long-term compromise.
