Inside Bitdefender Labs’ Investigation of a Malicious Facebook Ad Campaign Targeting Bitwarden Users

Bitdefender Labs details a malvertising campaign on Facebook that impersonates Bitwarden to coax users into sideloading a malicious Chrome extension (distributed via Google Drive). The extension requests extensive permissions, harvests Facebook cookies, business/ad account and billing details, collects IP/geolocation data, and exfiltrates information to a Google Script C2; thousands of users have been served and the campaign has potential to scale globally. The report includes manifest and script artifacts, attack steps, detection ideas, and user mitigation advice.