SOC Incident Toolkit
Back to Campaigns
Madgicx Plus Ad Hijack Campaign

Madgicx Plus Ad Hijack Campaign

MadgicxSession HijackingMeta Business Account TheftFake Ad Tools

A malicious threat actor group is tricking Meta advertisers into installing fake Chrome extensions like Madgicx Plus and SocialMetrics Pro. These extensions are disguised as tools to optimize ads or unlock verification, but they steal login tokens and session cookies. Attackers then hijack Meta Business and Ad accounts for profit.

Indicators of Compromise

Hashes (2)

eaebd30ad9860b54b076c3e1241fc59c2c7c86c7bf568c4a6fece9cda904e65c7640907d54d5d76a25d19429968ff6b1d8fdae232b481df15d3cc47d1a224083

IPv4 (1)

185.245.104.195

Notes

<div class="content-body"> <span class="content-title">CONCLUSION</span> <p class="content-description">The “Madgicx Plus Ad Hijack Campaign” is a sophisticated social engineering and extension-based threat targeting Meta advertisers. Attackers impersonate ad optimization tools (e.g. fake “Madgicx Plus” or “SocialMetrics Pro”) to install malicious Chrome extensions. These extensions steal session cookies and access tokens, enabling account hijack and abuse of Meta Business/Ads assets. The campaign uses polished websites, domain reuse, and bypass techniques to appear legitimate.</p> <p class="content-description">Defenders need more than reactive measures. They must monitor threat actor behavior, track malicious infrastructure, detect unusual session or ad account activity, and enforce strict extension policies.</p> <p class="content-description">SOCRadar’s platform helps organizations respond more effectively. For example:</p> <ul> <li> <p class="content-description"><span class="content-title">SOCRadar LABS</span> offers a <span class="content-description">Campaigns</span> feed (see SOCRadar Labs → Campaigns) which tracks active campaigns like this one, giving early warning on infrastructure, IOCs, and actor TTPs. <a href="https://">(</a><span class="content-description"><a href="https://socradar.io/labs/campaigns/">SOCRadar LABS Campaigns</a></span><span class="content-description">)</span><a href="https://socradar.io/labs/campaigns/?utm_source=chatgpt.com"><span class="content-description"> </span></a><span class="content-description"><a href="https://socradar.io/labs/campaigns/">SOCRadar® Cyber Intelligence Inc.</a></span><a href="https://socradar.io/labs/campaigns/?utm_source=chatgpt.com"><span class="content-description"><br><br></span></a></p> </li> <li> <p class="content-description">The <span class="content-title">Cyber Threat Intelligence</span> module provides enriched IOCs, threat actor tracking, and operational intelligence that can be directly applied to detection and response. For instance, identifying fake extension names, monitoring suspicious domains, and correlating them with session hijacks. (<span class="content-description"><a href="https://socradar.io/products/cyber-threat-intelligence/">SOCRadar Cyber Threat Intelligence</a></span><span class="content-description">)</span><a href="https://socradar.io/products/cyber-threat-intelligence/?utm_source=chatgpt.com"><span class="content-description"> </span></a><span class="content-description"><a href="https://socradar.io/products/cyber-threat-intelligence/?utm_source=chatgpt.com">S</a><a href="https://">OCRadar® Cyber Intelligence Inc.</a></span><a href="https://socradar.io/products/cyber-threat-intelligence/?utm_source=chatgpt.com"><span class="content-description"><br><br></span></a></p> </li> </ul> <p class="content-description">By combining SOCRadar’s intelligence with strong internal controls (extension governance, session monitoring, least privilege), organizations can reduce risk, shorten detection time, and respond more proactively to campaigns like Madgicx Plus.</p> <div><span class="content-description"><br></span></div> </div>

Mitigation

<div class="content-container"> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></p> </td> <td> <p>Review authentication logs to ensure that mechanisms such as enforcement of MFA are functioning as intended.</p> <p>Periodically review the hybrid identity solution in use for any discrepancies. For example, review all Pass Through Authentication (PTA) agents in the Azure Management Portal to identify any unwanted or unapproved ones.<a href="https://www.mandiant.com/resources/detecting-microsoft-365-azure-active-directory-backdoors">[6]</a> If ADFS is in use, review DLLs and executable files in the AD FS and Global Assembly Cache directories to ensure that they are signed by Microsoft. Note that in some cases binaries may be catalog-signed, which may cause the file to appear unsigned when viewing file properties.<a href="https://www.microsoft.com/security/blog/2022/08/24/magicweb-nobeliums-post-compromise-trick-to-authenticate-as-anyone/">[7]</a></p> <p>Periodically review for new and unknown network provider DLLs within the Registry (<span style="font-family: '">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider\ProviderPath</span>). Ensure only valid network provider DLLs are registered. The name of these can be found in the Registry key at <span style="font-family: '">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</span>, and have corresponding service subkey pointing to a DLL at <span style="font-family: '">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<NetworkProviderName>\NetworkProvider</span>.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1032">M1032</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1032">Multi-factor Authentication</a></p> </td> <td> <p>Integrating multi-factor authentication (MFA) as part of organizational policy can greatly reduce the risk of an adversary gaining control of valid credentials that may be used for additional tactics such as initial access, lateral movement, and collecting information. MFA can also be used to restrict access to cloud resources and APIs.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1028">M1028</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1028">Operating System Configuration</a></p> </td> <td> <p>Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<span style="font-family: '">C:\Windows\System32\</span>) of a domain controller and/or local computer with a corresponding entry in <span style="font-family: '">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</span>.</p> <p>Starting in Windows 11 22H2, the <span style="font-family: '">EnableMPRNotifications</span> policy can be disabled through Group Policy or through a configuration service provider to prevent Winlogon from sending credentials to network providers.<a href="https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-windowslogon">[8]</a></p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1027">M1027</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1027">Password Policies</a></p> </td> <td> <p>Ensure that <span style="font-family: '">AllowReversiblePasswordEncryption</span> property is set to disabled unless there are application requirements.<a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption">[9]</a></p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1026">M1026</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1026">Privileged Account Management</a></p> </td> <td> <p>Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. <a href="https://technet.microsoft.com/en-us/library/dn535501.aspx">[10]</a> <a href="https://technet.microsoft.com/en-us/library/dn487450.aspx">[11]</a> These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers.</p> <p>Limit access to the root account and prevent users from modifying protected components through proper privilege separation (ex SELinux, grsecurity, AppArmor, etc.) and limiting Privilege Escalation opportunities.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1025">M1025</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1025">Privileged Process Integrity</a></p> </td> <td> <p>Enabled features, such as Protected Process Light (PPL), for LSA.<a href="https://technet.microsoft.com/en-us/library/dn408187.aspx">[13]</a></p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1022">M1022</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1022">Restrict File and Directory Permissions</a></p> </td> <td> <p>Restrict write access to the <span style="font-family: '">/Library/Security/SecurityAgentPlugins</span> directory.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1024">M1024</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1024">Restrict Registry Permissions</a></p> </td> <td> <p>Restrict Registry permissions to disallow the modification of sensitive Registry keys such as <span style="font-family: '">HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order</span>.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1018">M1018</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1018">User Account Management</a></p> </td> <td> <p>Ensure that proper policies are implemented to dictate the the secure enrollment and deactivation of authentication mechanisms, such as MFA, for user accounts.</p> </td> </tr> </tbody> </table> </div> <div> <table> <colgroup> <col> <col> <col> </colgroup> <tbody> <tr> <th>ID</th> <th>Mitigation</th> <th>Description</th> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1047">M1047</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1047">Audit</a></p> </td> <td> <p>Ensure extensions that are installed are the intended ones, as many malicious extensions may masquerade as legitimate ones.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1038">M1038</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1038">Execution Prevention</a></p> </td> <td> <p>Set an extension allow or deny list as appropriate for your security policy.</p> </td> </tr> <tr> <td> <p><a href="https://attack.mitre.org/mitigations/M1033">M1033</a></p> </td> <td> <p><a href="https://attack.mitre.org/mitigations/M1033">Limit Software Installation</a></p> </td> <td> <p>Ensure only authorized software can be installed in the environment. Implement a software inventory listing that includes all approved and unapproved software.</p> </td> </tr> </tbody> </table> </div> </div>