A Chrome VPN extension with over 100,000 installations and verified badge status has been discovered operating as sophisticated spyware, continuously capturing user screenshots and exfiltrating sensitive data without consent.<\/p>\n
The extension, known as FreeVPN.One, masqueraded as a legitimate privacy tool while secretly implementing comprehensive surveillance capabilities that directly contradict its stated privacy promises.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhsPYqyhHuRWPKY7cJ-l02ARc89svuwex6utvNsHdwDVM6dT43uoRAbuow-O3wNNmU5Z94hvY_6A6qKIcLPNB4gXMO2ydvnXT1CfVaetZ7WzN_QZLiEio7RvO4u1F8QzX_MRmdOAvUtNDiHEchSf0OzC1KBUr0u3QXHfVDOiWP5Cfa_WczW7NrByrPzJQU\/s16000\/FreeVPN.One%25E2%2580%258A%25E2%2580%2594%25E2%2580%258Afeatured%2C%2520verified%2C%2520and%2520spyware%2520%28Source%2520-%2520Koi.Security%29.webp?ssl=1\")
The malicious extension gained prominence through Google\u2019s Chrome Web Store, achieving featured placement and verified status despite implementing backdoor functionality that captures screenshots of every webpage users visit.<\/p>\n
Operating under the guise of providing privacy protection, the extension employs a deceptive two-stage architecture that silently monitors user activity across all browsing sessions, capturing sensitive information including banking credentials, personal communications, and private documents.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg5zsmsIIjTFNbdThSb9yekiRAwuBYZ77EJUQZymK9vdAtCEuurpOfFgwO3Yp0zYbkBJEqlmKOSrurRDElJllkM8t3FEBi_p0cjc_NnsHwBJuOBuItC86DnuAaHqm8xd9NLT03usWTvRIzQWgYR2QpdVqY7wPY1Uya3pM_wkZKibMEB9VvwbzFWguWxqHo\/s16000\/Private%2520pictures%2520sent%2520to%2520the%2520spyware%25E2%2580%2599s%2520backend%2520%28Source%2520-%2520Koi.Security%29.webp?ssl=1\")
Koi.Security analysts noted<\/a> that the extension\u2019s evolution from legitimate VPN service to spyware occurred through a series of calculated updates beginning in April 2025, when developers introduced broad permissions that enabled comprehensive data collection capabilities.<\/p>\n Security researchers identified the transformation as particularly concerning, given the extension\u2019s verified status and widespread adoption among privacy-conscious users.<\/p>\n The surveillance<\/a> campaign impacts users globally, with captured screenshots containing sensitive corporate data, financial information, and personal communications being transmitted to remote servers controlled by the threat actors.<\/p>\n The extension\u2019s privileged position within users\u2019 browsers enables unrestricted access to all browsing activity, creating a comprehensive intelligence-gathering operation that operates entirely without user knowledge or consent.<\/p>\n The extension implements its surveillance capabilities through a sophisticated content script injection system that automatically deploys across all HTTP and HTTPS websites using the broad Upon page load initialization, the malicious code executes a precisely timed delay mechanism:-<\/p>\n This code waits exactly 1.1 seconds after page initialization before triggering screenshot capture, ensuring complete page rendering for maximum data quality.<\/p>\n The background service worker receives the captureViewport message and executes actual screenshot capture using Chrome\u2019s privileged Recent versions implement AES-256-GCM encryption with RSA key wrapping to obfuscate<\/a> data transmission, making network-based detection significantly more challenging.<\/p>\n The encryption layer masks the continuous screenshot exfiltration while maintaining the extension\u2019s surveillance capabilities, demonstrating the threat actors\u2019 commitment to persistence<\/a> and detection evasion.<\/p>\n The extension\u2019s permission structure requires The post Legitimate Chrome VPN With 100,000+ Installs Silently Captures Screenshots and Exfiltrate Sensitive Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgwgKJh4VqL3U8VkRwrEO9a25i__dmQBOl6F3sojjAUVh97HZ7_yPH6bQzgDVZTWKkrBjspLhJrVYyDAwSY8YhUppT9Op4va9AYMsIp9nxXK8PWcGfVNfv4xDyTMmrKGdY03Bdyjv-tCKvihC9ZADWJMvpNeZrjriMHCOKS-IroECd5DxVFTFIPHjmmEuc\/s16000\/DevTools%2520showing%2520captured%2520Google%2520Sheets%2520tab%2520with%2520sensitive%2520data%2520%28Source%2520-%2520Koi.Security%29.webp?ssl=1\")
Technical Implementation and Evasion Mechanisms<\/strong><\/h2>\n
matches: [\"http:\/\/*\/*\", \"https:\/\/*\/*\"]<\/code> pattern.<\/p>\nsetTimeout(() => {\n chrome.runtime.sendMessage({action: 'captureViewport'});\n}, 1100);<\/code><\/pre>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjb8VEVg-o2gPwwNdbnIPPAZoVAJSnH0DTmAL_Hxsxd8c60xl9r2UTJMFYX1zXmx4ZQHszwoOEnjYQ4iX0tNCx-V5q5SdbpP7Yj3EepEQruKXRbMatmcz2IqLhrKtzFweAZlx0RIZKZZYWSdxi27EKHYA2pHxEFYls8-yzmFjSRpaNT6wI34RLjXIYGuEw\/s16000\/%27Scan%2520with%2520AI%27%2520click%2520redirect%2520to%2520aitd%255B.%255Done%2520site%2520%28Source%2520-%2520Koi.Security%29.webp?ssl=1\")
chrome.tabs.captureVisibleTab()<\/code> API, automatically transmitting captured images to aitd[.]one\/brange.php<\/code> alongside page URLs, tab identifiers, and unique user tracking codes.<\/p>\n<all_urls><\/code>, tabs<\/code>, and scripting<\/code> permissions, creating a comprehensive surveillance framework that extends far beyond legitimate VPN<\/a> functionality requirements and enables complete user activity monitoring.<\/p>\nBoost\u00a0your\u00a0SOC and help your team protect your business with free top-notch threat intelligence:\u00a0Request TI Lookup Premium Trial<\/a>.<\/code><\/strong><\/p>\n