MITRE ATT&CK Technique
Description
Adversaries may abuse software extensions to establish persistent access to victim systems. Software extensions are modular components that enhance or customize the functionality of software applications, including web browsers, Integrated Development Environments (IDEs), and other platforms.(Citation: Chrome Extension C2 Malware)(Citation: Abramovsky VSCode Security) Extensions are typically installed via official marketplaces, app stores, or manually loaded by users, and they often inherit the permissions and access levels of the host application. Malicious extensions can be introduced through various methods, including social engineering, compromised marketplaces, or direct installation by users or by adversaries who have already gained access to a system. Malicious extensions can be named similarly or identically to benign extensions in marketplaces. Security mechanisms in extension marketplaces may be insufficient to detect malicious components, allowing adversaries to bypass automated scanners or exploit trust established during the installation process. Adversaries may also abuse benign extensions to achieve their objectives, such as using legitimate functionality to tunnel data or bypass security controls. The modular nature of extensions and their integration with host applications make them an attractive target for adversaries seeking to exploit trusted software ecosystems. Detection can be challenging due to the inherent trust placed in extensions during installation and their ability to blend into normal application workflows.
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2018-01-16T16:13:52.465Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may abuse software extensions to establish '
'persistent access to victim systems. Software extensions are '
'modular components that enhance or customize the '
'functionality of software applications, including web '
'browsers, Integrated Development Environments (IDEs), and '
'other platforms.(Citation: Chrome Extension C2 '
'Malware)(Citation: Abramovsky VSCode Security) Extensions are '
'typically installed via official marketplaces, app stores, or '
'manually loaded by users, and they often inherit the '
'permissions and access levels of the host application. \n'
'\n'
' \n'
'Malicious extensions can be introduced through various '
'methods, including social engineering, compromised '
'marketplaces, or direct installation by users or by '
'adversaries who have already gained access to a system. '
'Malicious extensions can be named similarly or identically to '
'benign extensions in marketplaces. Security mechanisms in '
'extension marketplaces may be insufficient to detect '
'malicious components, allowing adversaries to bypass '
'automated scanners or exploit trust established during the '
'installation process. Adversaries may also abuse benign '
'extensions to achieve their objectives, such as using '
'legitimate functionality to tunnel data or bypass security '
'controls. \n'
'\n'
'The modular nature of extensions and their integration with '
'host applications make them an attractive target for '
'adversaries seeking to exploit trusted software ecosystems. '
'Detection can be challenging due to the inherent trust placed '
'in extensions during installation and their ability to blend '
'into normal application workflows. ',
'external_references': [{'external_id': 'T1176',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1176'},
{'description': 'Abramovsky, O. (2023, May 16). '
'VSCode Security: Malicious '
'Extensions Detected- More Than '
'45,000 Downloads- PII Exposed, and '
'Backdoors Enabled. Retrieved March '
'30, 2025.',
'source_name': 'Abramovsky VSCode Security',
'url': 'https://blog.checkpoint.com/securing-the-cloud/malicious-vscode-extensions-with-more-than-45k-downloads-steal-pii-and-enable-backdoors/'},
{'description': 'Chris Ross. (2019, February 8). No '
'Place Like Chrome. Retrieved April '
'27, 2021.',
'source_name': 'xorrior chrome extensions macOS',
'url': 'https://www.xorrior.com/No-Place-Like-Chrome/'},
{'description': 'Kjaer, M. (2016, July 18). Malware '
'in the browser: how you might get '
'hacked by a Chrome extension. '
'Retrieved September 12, 2024.',
'source_name': 'Chrome Extension C2 Malware',
'url': 'https://web.archive.org/web/20240608001937/https://kjaer.io/extension-malware/'}],
'id': 'attack-pattern--389735f1-f21c-4208-b8f0-f8031e7169b8',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:39.525Z',
'name': 'Software Extensions',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Chris Ross @xorrior',
'Justin Warner, ICEBRG',
'Manikantan Srinivasan, NEC Corporation India'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '2.0'}