Malware Steals Chrome Session Cookies to Hijack User Accounts
What Happened – A phishing email containing a disguised .pfd.js attachment drops a malicious Chrome extension. The extension leverages Chrome Native Messaging to launch PowerShell on the host, harvests authenticated session cookies, open tabs, URLs and other fingerprinting data, and uses the cookies to hijack active web sessions, effectively bypassing MFA.
Why It Matters for Compliance & Audit Readiness
- Session‑cookie theft is a classic credential‑compromise scenario that SOC 2’s Access Control criteria (CC6.1, CC6.2) are designed to prevent and evidence.
- Continuous monitoring of privileged‑access policies, extension whitelisting, and user‑awareness training provides the audit‑ready evidence needed to demonstrate “least‑privilege” and “secure configuration” controls.
- Documented incident‑response playbooks that include cookie‑theft detection and revocation steps satisfy the SOC 2 requirement for timely breach handling and remediation.
Who Is Affected – Enterprises across technology SaaS, financial services, healthcare, and retail that rely on Chrome for daily workflows and enable single‑sign‑on (SSO) or persistent sessions.
Recommended Actions
- Map the incident to SOC 2 Access Control criteria; verify that extension‑whitelisting and policy‑enforcement controls are in place and logged.
- Collect evidence of Chrome policy changes, extension install logs, and PowerShell execution alerts for audit readiness.
- Refresh security‑awareness training to highlight deceptive file extensions and the risk of session‑cookie hijacking.
Source: Malwarebytes Labs
Technical Notes – The attack uses a phishing attachment (.pfd.js), PowerShell scripts, Chrome Native Messaging, and a custom native host to bridge the browser sandbox to the OS. No public CVE is cited; the malicious code is custom‑written. Data exfiltrated includes session cookies, open‑tab URLs, language settings, and system‑drive enumeration. Source: same as above