Inside Bitdefender Labs’ Investigation of a Malicious Facebook Ad Campaign Targeting Bitwarden Users

Bitdefender Labs reports an active 2024 malvertising campaign using Facebook ads to impersonate Bitwarden and lure users to sideload a malicious Chrome extension that harvests Facebook cookies, ad account and billing data, IP/geolocation, and other sensitive information, then exfiltrates it to a Google Script C2; the campaign leverages redirect chains, fake Chrome Web Store pages, and manual sideloading to bypass protections and has served ads to thousands of users in Europe with potential to scale globally.