Malicious TikTok Downloaders Compromise 130K Users Via 12 Browser Extensions
Key Takeaways A new malware campaign, dubbed “StealTok,” has compromised over 130,000 users globally through malicious browser extensions posing as TikTok video downloaders. The attackers...
Key Takeaways
- A new malware campaign, dubbed “StealTok,” has compromised over 130,000 users globally through malicious browser extensions posing as TikTok video downloaders.
- The attackers utilized delayed capability injection, allowing extensions to operate legitimately for months before activating spyware functionalities via remote configuration.
- Approximately 12,500 active installations of these data-stealing extensions remain present across Google Chrome and Microsoft Edge marketplaces.
- The campaign highlights the inadequacy of initial installation-time security checks for browser extensions that can dynamically alter their behavior.
A sophisticated malware operation, identified as “StealTok,” has successfully exploited at least 12 interconnected browser extensions to compromise more than 130,000 users worldwide. These extensions, disguised as legitimate TikTok video downloaders, have been covertly monitoring user activities and siphoning sensitive data.
Table Of Content
Security researchers at LayerX uncovered the extensive campaign, revealing that approximately 12,500 installations of these malicious tools are still active across both the Google Chrome and Microsoft Edge platforms.
The perpetrators behind StealTok have implemented a highly organized strategy, frequently deploying multiple identical or slightly rebranded versions of their core malicious extensions. This tactic ensures operational resilience; when one extension is flagged and removed from a marketplace, threat actors promptly upload a new clone to maintain their presence.
Initially, these rogue extensions function precisely as advertised, enabling users to download TikTok videos without watermarks. This legitimate functionality helps them gain user trust. Furthermore, many of these tools even attained a “Featured” badge within official extension stores, significantly reducing user suspicion and boosting their download figures.
Delayed Malicious Activation
A particularly insidious aspect of the StealTok campaign is its use of delayed capability injection. For the initial 6 to 12 months post-installation, the extensions behave innocuously, building a credible reputation and successfully bypassing initial security evaluations.
Once a sufficient period has elapsed, the extensions establish communication with external command-and-control (C2) servers to retrieve dynamic remote configurations. This hidden mechanism allows the attackers to fundamentally alter the extension’s behavior, transforming a benign video downloader into a potent spyware tool without any visible alert to the user or the extension marketplace.
Following the activation of these malicious features, the extensions begin to silently collect extensive telemetry data from the user. This includes monitoring usage patterns, tracking downloaded content, and gathering high-entropy data such as time zone, language settings, and even the device’s battery status. By combining these specific data points, the attackers can construct a highly accurate “fingerprint” of the user’s device, enabling persistent tracking across different web sessions and services.
To obscure this data exfiltration, the extensions transmit the stolen information to deceptive domains with misspelled names, such as “trafficreqort.com,” to evade casual detection and scrutiny.
This campaign underscores a significant vulnerability in current browser security paradigms, indicating that reliance solely on installation-time validation is no longer sufficient. Given that these extensions leverage remote configurations to evolve their behavior, the true risk often materializes long after the initial download.
Active and Removed Threats
Researchers at LayerX security identified several specific extensions implicated in the StealTok campaign.
On the Google Chrome Web Store, active threats include “TikTok Downloader – Save Videos, No Watermark” with 3,000 installations, “TikTok Video Downloader – Bulk Save” with 1,000 installations, and “Tiktok Downloader” with 353 installations.
For Microsoft Edge users, active malicious extensions comprise “Mass Tiktok Video Downloader” with 77 installations and another variant named “TikTok Downloader – Save Videos, No Watermark” with 47 installations.
Several highly popular versions of this malware have already been removed from Google Chrome, including “TikTok Video Keeper,” which had amassed 60,000 installations, and “Video Downloader for Tiktok,” which had 20,000 installations.
What You Should Do
- Immediately remove any of the named malicious extensions from your browser.
- Change passwords for any sensitive accounts you may have accessed while these extensions were active.
- Implement continuous, behavior-based monitoring within your organization to detect suspicious network activity, hidden data collection, and unexpected permission usage by browser extensions in real-time.
- Exercise caution when installing browser extensions, even those with high ratings or “Featured” badges, and regularly review installed extensions for unusual behavior.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.