← Threat Library
medium account takeover chrome

Captain Products Ad Network

Long-clean Chrome extensions bought through developer-account handoffs, then updated to inject an ad banner beaconing to a throwaway Cloudflare Worker. Eight confirmed carriers (~560k installs); every banner funnels users to one clean 200k-install extension that is the network's real payout.

Disclosed July 5, 2026
Blast radius ~560,000 users across 8 extensions
Status mixed

Overview

Eight Chrome extensions, long clean, were bought through developer-account handoffs and then updated to serve ads. The code that made each extension useful stayed the same. One extra script arrived through the normal auto-update channel and started beaconing to a throwaway Cloudflare Worker at ext-ads-mvp.captain-products.workers.dev.

The largest carrier, Dark Mode Google Docs, had 500,000 installs and shipped clean builds for years. Its 4.9.68 release added the ad days after the account changed hands. The other seven follow the same shape at smaller scale.

How it works

This is the acquisition play, not a from-scratch malware build. Buying an extension that already has the installs skips store review, skips the cold-start problem, and inherits every permission users granted the previous owner. The buyer pushes one update through a pipe that had only ever delivered bug fixes.

The capitan.ext.dev developer account is the tell (capitan / captain-products), and it owns one carrier directly. The rest sit under a spray of throwaway Gmail accounts with ownership transfers clustered in March and April 2026.

Payload

On Dark Mode Google Docs the payload is a popup ad. A bundled banner.js renders a banner into the extension's own popup, POSTs an impression to the C2 when shown, POSTs a click when tapped, then opens a hardcoded landing page. The beacon carries only a banner id and a timestamp. No browsing history, no page content, no credentials. Other carriers ship an ads-platform/scripts/tracking.js variant against the same C2 and the same jivo affiliate id partner_id=49587.

It is adware, not spyware. The concern is what sits behind it: these extensions hold <all_urls> and scripting permissions for their legitimate features, and the ad framework's endpoint and destination are config values. Escalating from a banner to page injection is a small edit and another silent update away.

The beneficiary

Every banner in the network cross-promotes YouTube To Text (apnedodbofogffiagpekmbeflilkcbgf, ~200,000 installs). Its own package is clean and carries no payload. It is the destination the whole ring exists to pump traffic toward, which makes it the most valuable node and the one least likely to be inspected.

Store status

As of 2026-07-05, Google has removed two carriers: Dark Mode Google Docs (500k) and Screen recorder (4k). The other six are still live and installable. Existing installs keep running regardless, since Chrome does not auto-uninstall.

Full analysis

Version diff, the payload code, and the live per-extension status: Dark Mode Google Docs Was Clean. Then It Changed Hands.

Affected extensions (8)

NameStoreIDMalicious versionArchived
Dark Mode Google Docs
View analysis
chromeiabnclnclchijjckhdljmocghgmgnnii4.9.68yes
Chatgpt PDF | Ask your pdf
View analysis
chromeehfkleckcppfceemdamfiohancgjglhk1.4.2, 1.4.6no
VPN for Discord
View analysis
chromecpmminfjchfmlnoncniejplodncncoon0.0.4, 0.0.8no
Spell Check
View analysis
chromefclhkdjekjcalnjjkoohgcgbgpihlahf1.0.1no
HEIC to JPG Converter
View analysis
chromefhhnbmkllifmckbpacekbajjhhonakci2.2, 2.6no
Image Converter
View analysis
chromegjhalfmdneljejledkcljfeaapgppbhl1.3, 1.6no
AI Grammar Checker
View analysis
chromemkdobhlbckbmhkclkoagfgbnholndbcl1.0.1no
Screen recorder
View analysis
chromeaohfenpemkefcdchmonkodnkdnkejegd3.1.12no

Indicators of compromise (8)

domainext-ads-mvp.captain-products.workers.devC2 beacon, impression/click telemetry
domaincaptain-products.workers.devC2 parent (Cloudflare Worker)
domaintext.ruaffiliate landing (RU-targeted)
domainjivo.ruaffiliate partner_id=49587
domainnethouse.ruaffiliate landing (RU-targeted)
ext_idmolkadplffcfnfaaapdlhionhggonekmDark Mode Chrome, cross-promo destination
ext_idapnedodbofogffiagpekmbeflilkcbgfYouTube To Text, 200k-install beneficiary (clean package)
sha2562f66c07a4ec0fa85a4e122bb33eb88faca302fa43e1dd44965e64023cbb46fa2samplebanner.png, Dark Mode Google Docs 4.9.68 popup ad image

Sources