Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical CVE-2024-XXXXX in GCP Dialogflow Lets Attackers Inject Malicious Code
July 7, 2026
Gentlemen Ransomware Uses Custom EDR/AV Killers to Target Global Industries
July 7, 2026
VECTRA and TeamPCP reverse ransomware kill chain with supply chain credential theft
July 7, 2026
Home/CyberSecurity News/Malicious TikTok Downloaders Compromise 130K Users Via 12 Browser Extensions
CyberSecurity News

Malicious TikTok Downloaders Compromise 130K Users Via 12 Browser Extensions

Key Takeaways A new malware campaign, dubbed “StealTok,” has compromised over 130,000 users globally through malicious browser extensions posing as TikTok video downloaders. The attackers...

Marcus Rodriguez
Marcus Rodriguez
April 21, 2026 3 Min Read
35 0

Key Takeaways

  • A new malware campaign, dubbed “StealTok,” has compromised over 130,000 users globally through malicious browser extensions posing as TikTok video downloaders.
  • The attackers utilized delayed capability injection, allowing extensions to operate legitimately for months before activating spyware functionalities via remote configuration.
  • Approximately 12,500 active installations of these data-stealing extensions remain present across Google Chrome and Microsoft Edge marketplaces.
  • The campaign highlights the inadequacy of initial installation-time security checks for browser extensions that can dynamically alter their behavior.

A sophisticated malware operation, identified as “StealTok,” has successfully exploited at least 12 interconnected browser extensions to compromise more than 130,000 users worldwide. These extensions, disguised as legitimate TikTok video downloaders, have been covertly monitoring user activities and siphoning sensitive data.

Table Of Content

  • Key Takeaways
  • Delayed Malicious Activation
  • Active and Removed Threats
  • What You Should Do

Security researchers at LayerX uncovered the extensive campaign, revealing that approximately 12,500 installations of these malicious tools are still active across both the Google Chrome and Microsoft Edge platforms.

The perpetrators behind StealTok have implemented a highly organized strategy, frequently deploying multiple identical or slightly rebranded versions of their core malicious extensions. This tactic ensures operational resilience; when one extension is flagged and removed from a marketplace, threat actors promptly upload a new clone to maintain their presence.

Initially, these rogue extensions function precisely as advertised, enabling users to download TikTok videos without watermarks. This legitimate functionality helps them gain user trust. Furthermore, many of these tools even attained a “Featured” badge within official extension stores, significantly reducing user suspicion and boosting their download figures.

Delayed Malicious Activation

A particularly insidious aspect of the StealTok campaign is its use of delayed capability injection. For the initial 6 to 12 months post-installation, the extensions behave innocuously, building a credible reputation and successfully bypassing initial security evaluations.

Once a sufficient period has elapsed, the extensions establish communication with external command-and-control (C2) servers to retrieve dynamic remote configurations. This hidden mechanism allows the attackers to fundamentally alter the extension’s behavior, transforming a benign video downloader into a potent spyware tool without any visible alert to the user or the extension marketplace.

Following the activation of these malicious features, the extensions begin to silently collect extensive telemetry data from the user. This includes monitoring usage patterns, tracking downloaded content, and gathering high-entropy data such as time zone, language settings, and even the device’s battery status. By combining these specific data points, the attackers can construct a highly accurate “fingerprint” of the user’s device, enabling persistent tracking across different web sessions and services.

To obscure this data exfiltration, the extensions transmit the stolen information to deceptive domains with misspelled names, such as “trafficreqort.com,” to evade casual detection and scrutiny.

This campaign underscores a significant vulnerability in current browser security paradigms, indicating that reliance solely on installation-time validation is no longer sufficient. Given that these extensions leverage remote configurations to evolve their behavior, the true risk often materializes long after the initial download.

Active and Removed Threats

Researchers at LayerX security identified several specific extensions implicated in the StealTok campaign.

On the Google Chrome Web Store, active threats include “TikTok Downloader – Save Videos, No Watermark” with 3,000 installations, “TikTok Video Downloader – Bulk Save” with 1,000 installations, and “Tiktok Downloader” with 353 installations.

For Microsoft Edge users, active malicious extensions comprise “Mass Tiktok Video Downloader” with 77 installations and another variant named “TikTok Downloader – Save Videos, No Watermark” with 47 installations.

Several highly popular versions of this malware have already been removed from Google Chrome, including “TikTok Video Keeper,” which had amassed 60,000 installations, and “Video Downloader for Tiktok,” which had 20,000 installations.

What You Should Do

  • Immediately remove any of the named malicious extensions from your browser.
  • Change passwords for any sensitive accounts you may have accessed while these extensions were active.
  • Implement continuous, behavior-based monitoring within your organization to detect suspicious network activity, hidden data collection, and unexpected permission usage by browser extensions in real-time.
  • Exercise caution when installing browser extensions, even those with high ratings or “Featured” badges, and regularly review installed extensions for unusual behavior.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

Previous Post

Critical Prompt Injection Vulnerability Affects AI Code Assistants via GitHub Comments

Next Post

Critical SGLang RCE Vulnerability (CVE-2024-5698) Lets Attackers Weaponize GGUF Models

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
AnyDesk Phishing Attack Uses Scheduled Tasks for Persistence, Evades Detection
July 7, 2026
Ubiquiti Discloses 25 UniFi Vulnerabilities, 2 Critical
July 7, 2026
STOCKSTAY Backdoor Targets Ukraine with Malicious RDP Files and WinRAR Exploit
July 7, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us