top of page
  • Admin

Malicious Firefox Extension Used By Chinese To Spy Tibetan Communities

Published: May 20, 2021 on our newsletter Security Fraud News & Alerts Newsletter.

Proofpoint researchers released a study involving a Mozilla Firefox extension, the Chinese Communist Party, and Tibetan organizations. This trio of entities came together after their study exposed Chinese APT (advanced persistent threat) actors were found using a malicious Firefox extension to spy on Tibetan groups. Their goal is performing espionage and surveillance on Tibetan dissidents as part of a troubled history between the two countries.

Phishy Malicious Firefox Extension

This latest Chinese surveillance action starts by delivering a malicious Firefox extension via email phishing. Once downloaded, the extension gets control of a user’s Gmail account. That way, hackers supporting the espionage goals of the Chinese government can surveil Tibetan dissidents wherever they are and know what they’re communicating with fellow sympathizers via their Gmail accounts.

The phishing emails impersonate the “Tibetan Women’s Association” and contains a malicious URL masquerading as a link to a YouTube page. Users are sent to a fake “Adobe Flash Player Update” page telling them they need to install the Firefox extension. Once installed, the malicious extension begins the espionage targeting Gmail accounts. This Tibetan targeting brings to light the issue of how invasive and problematic browser extensions can be.

Is Timing Everything?

In particular, the timing of this APT campaign coincides with Adobe’s end-of-life for their Flash extension no longer being able to run on browsers. Once installed, the malicious Firefox extension has access to browser tabs for all websites, including user data. It can also read, search and delete messages, and send and forward emails from the now compromised Gmail accounts.

A Proofpoint researcher comments “Almost any other account password can be reset once attackers have access to someone's email account. Threat actors can also use compromised email accounts to send email from that account using the user's email signature and contact list, which makes those messages extremely convincing.”

As popular as browser extensions can be for gaming, productivity, shopping, and more, the problem of malicious extensions continues. Because of their massive user bases, these extensions are a tempting target for hackers. Using extensions can be risky business since the user can’t determine if they are downloading one that carries malware. There’s no guarantee an extension is virus free, and it may never be noticed by the user.


The advice is to use browser extensions only if it’s absolutely necessary and discontinue using Adobe Flash immediately. There are other options available that perform the same services as Flash but are much safer. Remember, an extension can be safe initially, but it can be automatically updated to become malicious, and the user is none-the-wiser. Take some time to go to your browser settings, whether it’s Chrome, Firefox, or Edge, and delete extensions you don’t need or aren’t using. If you’re not sure if one is needed, deactivate it. If you find yourself needing it, it’s easy to turn it back on.

Want to schedule a conversation? Please email us at


bottom of page