CL Suite
CL Suite (marketed as “CL Suite by @CLMasters,” Chrome extension ID: jkphinfhmfkckkcnifhjiplhfoiefffl) is a malicious Google Chrome extension posing as a Meta Business Suite/Facebook Business Manager utility (e.g., scraping Meta Business Suite data, removing verification pop-ups, and generating 2FA codes). Despite privacy-policy claims that 2FA secrets and Business Manager data remain local, the extension exfiltrates sensitive authentication material and business intelligence from meta.com and facebook.com.
High-confidence capabilities and behavior described:
- Credential/2FA material theft: exfiltrates Facebook/Meta TOTP seeds and current TOTP (2FA) codes; the 2FA generator module sends seed, code, Facebook username, and Facebook email to attacker infrastructure.
- Business data theft: exfiltrates Business Manager “People” data via CSV exports (names, email addresses, roles/permissions, access/status) and Business Manager analytics/intelligence (Business Manager IDs/names, linked ad accounts, connected pages/assets, and billing/payment configuration details). Includes an analytics module referenced as failsafe-bm-analytics.js.
- Telemetry/fingerprinting: collects tab URL(s), public IP address (via https://api.ipify.org?format=json), user agent, OS, timestamps, and Facebook account identifiers.
- Exfiltration and C2/infrastructure: sends stolen data to getauth[.]pro, including hardcoded endpoints https://getauth[.]pro/api/telemetry.php and https://getauth[.]pro/api/validate.php, and can forward formatted dumps to Telegram via https://getauth[.]pro/api/telegram_notify.php. Exfiltration uses a hardcoded bearer token API key: w7ZxKp3F8RtJmN5qL2yAcD9v.
- Operational/security notes: code uses empty try/catch blocks to suppress errors; dynamic analysis indicated getauth[.]pro/api/telemetry.php was live and enforced the bearer token. The report notes the risk persists after uninstall because stolen TOTP seeds and exported business intelligence remain with the attacker.
Infection vector / distribution:
- Distributed via the Chrome Web Store under developer alias “CLMasters” (registration email info@clmasters[.]pro). Reported first uploaded March 1, 2025 and last updated March 6, 2025; low install count at time of reporting (reported as ~28–33 users).
Targeting and impact:
- Targets Meta Business Suite / Facebook Business Manager users. The content states it does not steal password-related information, but stolen TOTP seeds/codes can enable account takeover when combined with passwords obtained elsewhere (e.g., infostealer logs or credential dumps).
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Socket’s Threat Research Team identified a malicious Google Chrome extension CL Suite by @CLMasters (extension ID jkphinfhmfkckkcnifhjiplhfoiefffl), that… exfiltrates TOTP seeds, 2FA codes, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
3 techniques
Reconnaissance
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Persistence
2 techniques
Persistence
Defense Impairment
1 technique
Defense Impairment
Credential Access
3 techniques
Credential Access
Collection
4 techniques
Collection
"collects Facebook account identifiers, 2FA seeds and codes, CSV exports, tab URL, public IP, and user agent"
"transmits TOTP seeds and current one-time security codes"; "Steal TOTP seed... and 2FA code"
Command and Control
1 technique
Command and Control
Exfiltration
3 techniques
Exfiltration
"...transmits TOTP seeds and current one-time security codes ... to a backend at getauth[.]pro, with an option to forward the same payloads to a Telegram channel controlled by the threat actor."; "...transmitted to third-party backend infrastructure controlled by the extension operator"
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious Chrome extension targeting Meta Business Suite/Facebook Business Manager users to exfiltrate TOTP seeds and current 2FA codes, Business Manager contact exports (“People” CSV), and analytics/asset/billing metadata to attacker-controlled infrastructure (and optionally Telegram).
A malicious Google Chrome extension targeting Meta Business Suite/Facebook Business Manager users. It advertises scraping and 2FA-code generation features, but covertly harvests and exfiltrates TOTP seeds and current 2FA codes (neutralizing MFA), plus Business Manager “People” exports and analytics/payment-related data. Exfiltration is sent to getauth[.]pro endpoints using a hardcoded bearer API key and can be mirrored to a threat-actor Telegram channel.
Malicious Chrome extension that steals business-related data (e.g., Meta Business Suite/Facebook Business Manager data), emails, and browsing history; masquerades as a productivity/scraping tool.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.