databycloud1104

databycloud1104 is the publisher name associated with four malicious Google Chrome extensions used in a coordinated campaign targeting enterprise users of major HR and financial platforms, including Workday, NetSuite, and SuccessFactors. The extensions masquerade as productivity tools but are designed to steal authentication tokens and cookies, repeatedly refresh stolen session material, and enable session hijacking and full account takeover. Reported capabilities include bidirectional cookie injection, allowing attackers to inject stolen authentication cookies into their own browsers and access victim accounts without passwords, including bypass of multi-factor authentication. Some extensions reportedly extract session tokens every 60 seconds to keep stolen credentials current. The campaign also includes active defense evasion and response inhibition: the extensions use DOM manipulation and high-frequency MutationObserver checks to monitor pages and blank or redirect administrative security pages, preventing actions such as password resets, account deactivation, MFA device management, and access to security audit logs. Specific examples cited include Tools Access 11 blocking 44 Workday administrative pages and Data By Cloud 2 blocking 56. A fifth related extension, branded softwareaccess, is described as sharing identical infrastructure patterns and attack mechanisms with the databycloud1104-published extensions. Collectively, the five extensions reportedly reached more than 2,300 users. Based on the provided content, this is a financially or operationally motivated malicious extension campaign; no nation-state attribution is stated.