HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Malware Steals Chrome Session Cookies to Hijack User Accounts

A phishing email drops a malicious Chrome extension that uses Native Messaging to launch PowerShell, harvest authenticated session cookies and hijack active web sessions, bypassing MFA. The scenario directly tests SOC 2 Access Control controls and the need for continuous compliance evidence.

LiveThreat™ Intelligence · 📅 June 27, 2026· 📰 malwarebytes.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
malwarebytes.com

Malware Steals Chrome Session Cookies to Hijack User Accounts

What Happened – A phishing email containing a disguised .pfd.js attachment drops a malicious Chrome extension. The extension leverages Chrome Native Messaging to launch PowerShell on the host, harvests authenticated session cookies, open tabs, URLs and other fingerprinting data, and uses the cookies to hijack active web sessions, effectively bypassing MFA.

Why It Matters for Compliance & Audit Readiness

  • Session‑cookie theft is a classic credential‑compromise scenario that SOC 2’s Access Control criteria (CC6.1, CC6.2) are designed to prevent and evidence.
  • Continuous monitoring of privileged‑access policies, extension whitelisting, and user‑awareness training provides the audit‑ready evidence needed to demonstrate “least‑privilege” and “secure configuration” controls.
  • Documented incident‑response playbooks that include cookie‑theft detection and revocation steps satisfy the SOC 2 requirement for timely breach handling and remediation.

Who Is Affected – Enterprises across technology SaaS, financial services, healthcare, and retail that rely on Chrome for daily workflows and enable single‑sign‑on (SSO) or persistent sessions.

Recommended Actions

  • Map the incident to SOC 2 Access Control criteria; verify that extension‑whitelisting and policy‑enforcement controls are in place and logged.
  • Collect evidence of Chrome policy changes, extension install logs, and PowerShell execution alerts for audit readiness.
  • Refresh security‑awareness training to highlight deceptive file extensions and the risk of session‑cookie hijacking.

Source: Malwarebytes Labs

Technical Notes – The attack uses a phishing attachment (.pfd.js), PowerShell scripts, Chrome Native Messaging, and a custom native host to bridge the browser sandbox to the OS. No public CVE is cited; the malicious code is custom‑written. Data exfiltrated includes session cookies, open‑tab URLs, language settings, and system‑drive enumeration. Source: same as above

📰 Original Source
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →