DataByCloud Campaign (malware extensions)
BLUF
A highly targeted campaign utilizing five coordinated malicious Chrome extensions has emerged, specifically designed to impersonate enterprise HR and ERP utilities to facilitate session hijacking and complete account takeover in Workday, NetSuite, and SuccessFactors environments.
Executive Cost Summary
This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.
For organizations affected by malicious browser extensions enabling ERP and HR session hijacking:
· Low-end total cost: $750,000 – $1.5M
· (Limited user exposure, rapid containment, no confirmed data misuse)
· Typical expected range: $2M – $4.5M
· (Multiple ERP users affected, operational disruption, compliance review required)
· Upper-bound realistic scenarios: $5M – $9M
· (Broad HR/finance access abuse, regulatory scrutiny, insurance impact)
Key Cost Drivers
· Number of ERP and HR users with compromised browser sessions
· Duration of undetected session hijacking activity
· Scope of financial or payroll system access achieved
· Regulatory classification of accessed employee or financial data
· Cyber insurance exclusions related to identity and browser-based attacks
Targeted Sectors
· Enterprise Finance
· Human Resources
· Corporate Administration.
Countries
· Global
First Reported
· January 15, 2026
Most Recent Update
· January 16, 2026
APT names
· No publicly named groups have been directly associated with this activity.
Criminal organization names
Unknown threat actor group utilizing the publisher
· Databycloud1104 and Software Access
TTPs
· T1566 Phishing
o Adversaries use the Chrome Web Store and third-party software sites to host malicious extensions that masquerade as legitimate "premium tools" for enterprise platforms.
· T1176 Browser Extensions
o The primary delivery mechanism is the installation of malicious browser add-ons to achieve persistence and execute malicious code within the user's browser.
· T1539 Steal Web Session Cookie
o The extensions exfiltrate authentication cookies for targeted enterprise domains (e.g., SuccessFactors, NetSuite) to a remote server every 60 seconds.
· T1550.004 Use Alternate Authentication Material: Web Session Cookie
o Stolen cookies are used to facilitate session hijacking via cookie injection, allowing attackers to bypass multi-factor authentication (MFA) and access enterprise accounts.
· T1056.002 Input Capture: GUI Input Capture
o The malware manipulates the Document Object Model (DOM) tree to block security administration pages and potentially capture user interactions within the browser.
· T1071.001 Application Layer Protocol: Web Protocols
o The campaign utilizes standard HTTP/HTTPS traffic to communicate with its command-and-control (C2) infrastructure at api.databycloud[.]com.
· T1020 Automated Exfiltration
o The malicious extensions are configured to automatically transmit collected authentication data to the attacker's domain at regular intervals.
IOCs
Here is a list of the malicious extensions identified:
Extension Name
· DataByCloud 1
Extension ID
· mbjjeombjeklkbndcjgmfcdhfbjngcam
Extension Name
· DataByCloud 2
Extension ID
· makdmacamkifdldldlelollkkjnoiedg
Extension Name
· DataByCloud Access
Extension ID
· oldhjammhkghhahhhdcifmmlefibciph
Extension Name
· Tool Access 11
Extension ID
· ijapakghdgckgblfgjobhcfglebbkebf
Extension Name
· Software Access
Extension ID
· bmodapcihjhklpogdpblefpepjolaoij
Delivery Methods
· Phishing emails and social engineering tactics are used to deliver these extensions, often impersonating legitimate HR or IT tools and promoting them as
o Access Utilities
o Productivity Boosters"
For ERP platforms like:
· Workday
· NetSuite
Malware Name
· DataByCloud Stealer
Malware Family
· Session Hijacker / Token Stealer
SHA256
· 30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371
Verdict
· Malicious (Critical)
Primary Objectives
· Steal authentication tokens
· Impede incident response
· Facilitate account takeover.
Behavior Analysis
· The extensions cooperate, with some potentially blocking security reporting and others exfiltrating cookies using the webRequest API.
ERP Vulnerability Context
The campaign exploits the trusted nature of cloud-based ERP systems. Relevant SAP patches from January 2026 include
CVE-2026-0498
CVSS 3.1
· (9.1) AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Nessus ID
· No Tenable plugin has been created for CVE-2026-0498 at this time
Is CVE-2026-0498 on the KEV list?
· No
What is the CISA patch by date?
· Not applicable
CVE-2026-0491
CVSS 3.1
· (9.1) AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Nessus ID
· No Tenable plugin has been created for CVE-2026-0491 at this time
Is CVE-2026-0498 on the KEV list?
· No
What is the CISA patch by date?
· Not applicable
Suggested Rules / potential hunts
As a reminder, these are indicator rules. They are likely to be noisy.
For best results consider creating a data model and reviewing the traffic as a report
Suricata
Detect command-and-control (C2) traffic to the identified malicious domains: api.databycloud.com and api.software-access.com.
C2 Traffic Alert
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DataByCloud Campaign C2 Domain Access"; flow:established,to_server; http.host; content:"api.databycloud.com"; classtype:trojan-activity; sid:1000001; rev:1;)
Cookie Exfiltration (POST activity)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE DataByCloud Exfiltration Activity (Bearer Token)"; flow:established,to_server; http.method; content:"POST"; http.header; content:"Authorization: Bearer "; content:"X-Version: "; classtype:trojan-activity; sid:1000002; rev:1;).
SentinelOne
Search for the installation and persistence of the specific extension IDs on Windows and macOS endpoints.
Hunt for Extension Installation (File Paths)
ObjectType = "File" AND (FilePath contains "mbjjeombjeklkbndcjgmfcdhfbjngcam" OR FilePath contains "makdmacamkifdldldlelollkkjnoiedg" OR FilePath contains "oldhjammhkghhahhhdcifmmlefibciph" OR FilePath contains "ijapakghdgckgblfgjobhcfglebbkebf" OR FilePath contains "bmodapcihjhklpogdpblefpepjolaoij")
Identify Browser Processes with Suspicious Permission Requests
ProcessName = "chrome.exe" AND Commandline contains "--load-extension" AND (Commandline contains "DataByCloud" OR Commandline contains "Software Access")
Splunk
Monitor for logs indicating the presence or installation of these extensions in an enterprise environment.
Hunt by Extension ID (Registry/File Logs)
index=main (source="*Google/Chrome/User Data/Default/Extensions*" OR source="*Microsoft/Edge/User Data/Default/Extensions*")
| search "mbjjeombjeklkbndcjgmfcdhfbjngcam" OR "makdmacamkifdldldlelollkkjnoiedg" OR "oldhjammhkghhahhhdcifmmlefibciph" OR "ijapakghdgckgblfgjobhcfglebbkebf" OR "bmodapcihjhklpogdpblefpepjolaoij"
Detect Blocking of Security Pages
Monitor for web traffic redirects or denied access to admin URLs like workday.com administrative paths.
index=proxy url="*workday.com*" (url="*security_policy*" OR url="*ip_range_management*") status=404 OR status=403
Email Samples
Subject
· "Action Required: Update your Workday Access Tool"
Subject
· "New NetSuite Productivity Add-on for DataByCloud Users"
Header Indicators
· Suspicious X-Mailer headers suggesting automated sending and domains attempting to spoof databycloud[.]com
References
Socket Dev
· hxxps://socket.dev/blog/5-malicious-chrome-extensions-enable-session-hijacking
NVD
· hxxps://nvd.nist.gov/vuln/detail/CVE-2026-0498
· hxxps://nvd.nist.gov/vuln/detail/CVE-2026-0491
VirusTotal
· hxxps://www.virustotal.com/gui/file/30738450f69c3de74971368192a4a647e4ed9c658f076459e42683b110baf371
