Tool Access 11
Tool Access 11 is a malicious Google Chrome extension identified by Socket’s Threat Research Team as part of a coordinated campaign involving five extensions targeting enterprise HR/ERP platforms, particularly Workday, and also associated with broader targeting of NetSuite and SAP SuccessFactors customers. It was published under the developer name databycloud1104 and is identified in reporting as extension ID ijapakghdgckgblfgjobhcfglebbkebf. Socket assessed the five extensions as likely operated by the same threat actor based on shared behaviors, common API endpoint patterns, and an identical list of 23 security-related Chrome extensions they monitor for.
Tool Access 11 masqueraded as a legitimate productivity or access-related browser add-on but was designed to disrupt incident response on Workday. Its primary documented behavior is blocking access to 44 specific Workday administrative and security-related pages. Reported targets include interfaces related to authentication management, security proxy configuration, IP range management, and session control. When a victim attempted to access one of the targeted pages, the extension manipulated the DOM by setting document.body.innerHTML to an empty string, effectively erasing page contents, and then redirected the browser to a malformed URL using an invalid .htmld extension to trigger an error page. This behavior was intended to prevent administrators and defenders from accessing key remediation functions and hinder detection and response.
Across the broader campaign, related extensions stole authentication cookies, relayed authenticated sessions to attacker-controlled infrastructure, enabled cookie injection for session hijacking, and in some cases used anti-analysis measures such as DisableDevtool. The campaign used command-and-control infrastructure associated with databycloud[.]com and software-access[.]com, with Socket specifically recommending blocking api[.]databycloud[.]com and api[.]software-access[.]com. The five extensions collectively accumulated roughly 2,300 installs before being reported and removed from the Chrome Web Store. High-confidence indicators directly associated with Tool Access 11 include its name, version 1.4 as cited in reporting, publisher databycloud1104, extension ID ijapakghdgckgblfgjobhcfglebbkebf, and its behavior of blocking 44 Workday administrative pages by wiping content and redirecting to malformed URLs.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious Chrome extension focused on disrupting Workday incident response by blocking access to specific administrative/security pages using DOM manipulation (blanking page content) and redirecting to an invalid URL to trigger an error page.
A malicious Chrome extension used to impede incident response by blocking/redirecting access to key security and account administration pages (password changes, 2FA management, audit logs), effectively preventing remediation actions.
Malicious Chrome extension used to impede incident response by manipulating the DOM to block/disable access to key Workday administrative and security management pages (e.g., session control, IP range management, security proxy configuration).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.