Captain Products Ad Network
Long-clean Chrome extensions bought through developer-account handoffs, then updated to inject an ad banner beaconing to a throwaway Cloudflare Worker. Eight confirmed carriers (~560k installs); every banner funnels users to one clean 200k-install extension that is the network's real payout.
Overview
Eight Chrome extensions, long clean, were bought through developer-account handoffs and then updated to serve ads. The code that made each extension useful stayed the same. One extra script arrived through the normal auto-update channel and started beaconing to a throwaway Cloudflare Worker at ext-ads-mvp.captain-products.workers.dev.
The largest carrier, Dark Mode Google Docs, had 500,000 installs and shipped clean builds for years. Its 4.9.68 release added the ad days after the account changed hands. The other seven follow the same shape at smaller scale.
How it works
This is the acquisition play, not a from-scratch malware build. Buying an extension that already has the installs skips store review, skips the cold-start problem, and inherits every permission users granted the previous owner. The buyer pushes one update through a pipe that had only ever delivered bug fixes.
The capitan.ext.dev developer account is the tell (capitan / captain-products), and it owns one carrier directly. The rest sit under a spray of throwaway Gmail accounts with ownership transfers clustered in March and April 2026.
Payload
On Dark Mode Google Docs the payload is a popup ad. A bundled banner.js renders a banner into the extension's own popup, POSTs an impression to the C2 when shown, POSTs a click when tapped, then opens a hardcoded landing page. The beacon carries only a banner id and a timestamp. No browsing history, no page content, no credentials. Other carriers ship an ads-platform/scripts/tracking.js variant against the same C2 and the same jivo affiliate id partner_id=49587.
It is adware, not spyware. The concern is what sits behind it: these extensions hold <all_urls> and scripting permissions for their legitimate features, and the ad framework's endpoint and destination are config values. Escalating from a banner to page injection is a small edit and another silent update away.
The beneficiary
Every banner in the network cross-promotes YouTube To Text (apnedodbofogffiagpekmbeflilkcbgf, ~200,000 installs). Its own package is clean and carries no payload. It is the destination the whole ring exists to pump traffic toward, which makes it the most valuable node and the one least likely to be inspected.
Store status
As of 2026-07-05, Google has removed two carriers: Dark Mode Google Docs (500k) and Screen recorder (4k). The other six are still live and installable. Existing installs keep running regardless, since Chrome does not auto-uninstall.
Full analysis
Version diff, the payload code, and the live per-extension status: Dark Mode Google Docs Was Clean. Then It Changed Hands.
Affected extensions (8)
| Name | Store | ID | Malicious version | Archived |
|---|---|---|---|---|
| Dark Mode Google Docs View analysis | chrome | iabnclnclchijjckhdljmocghgmgnnii | 4.9.68 | yes |
| Chatgpt PDF | Ask your pdf View analysis | chrome | ehfkleckcppfceemdamfiohancgjglhk | 1.4.2, 1.4.6 | no |
| VPN for Discord View analysis | chrome | cpmminfjchfmlnoncniejplodncncoon | 0.0.4, 0.0.8 | no |
| Spell Check View analysis | chrome | fclhkdjekjcalnjjkoohgcgbgpihlahf | 1.0.1 | no |
| HEIC to JPG Converter View analysis | chrome | fhhnbmkllifmckbpacekbajjhhonakci | 2.2, 2.6 | no |
| Image Converter View analysis | chrome | gjhalfmdneljejledkcljfeaapgppbhl | 1.3, 1.6 | no |
| AI Grammar Checker View analysis | chrome | mkdobhlbckbmhkclkoagfgbnholndbcl | 1.0.1 | no |
| Screen recorder View analysis | chrome | aohfenpemkefcdchmonkodnkdnkejegd | 3.1.12 | no |
Indicators of compromise (8)
| domain | ext-ads-mvp.captain-products.workers.dev | C2 beacon, impression/click telemetry | |
| domain | captain-products.workers.dev | C2 parent (Cloudflare Worker) | |
| domain | text.ru | affiliate landing (RU-targeted) | |
| domain | jivo.ru | affiliate partner_id=49587 | |
| domain | nethouse.ru | affiliate landing (RU-targeted) | |
| ext_id | molkadplffcfnfaaapdlhionhggonekm | Dark Mode Chrome, cross-promo destination | |
| ext_id | apnedodbofogffiagpekmbeflilkcbgf | YouTube To Text, 200k-install beneficiary (clean package) | |
| sha256 | 2f66c07a4ec0fa85a4e122bb33eb88faca302fa43e1dd44965e64023cbb46fa2 | sample | banner.png, Dark Mode Google Docs 4.9.68 popup ad image |