Malicious Chrome Extension 'CL Suite' Steals Meta Business

Chrome Extension Targets Meta Business Accounts

Security researchers have discovered a malicious Chrome extension called "CL Suite" that specifically targets Meta Business Manager users, stealing TOTP two-factor authentication seeds, business analytics data, and personnel information — effectively neutralizing 2FA protections entirely.

Attack Overview

Attribute	Details
Extension Name	CL Suite
Target	Meta Business Manager users
Data Stolen	TOTP 2FA seeds/codes, Business "People" CSV exports, Business Manager analytics
Exfiltration Endpoints	getauth[.]pro, Telegram channel
Impact	Complete 2FA bypass, business account takeover

How It Works

TOTP 2FA Seed Theft

The most dangerous capability is intercepting TOTP seeds during 2FA setup or re-authentication:

The extension monitors page content for TOTP seed values
Intercepts QR code data or secret key during setup
Exfiltrates the seed to attacker infrastructure

With the TOTP seed, attackers can generate valid 2FA codes at will, completely bypassing two-factor authentication.

Meta Business Data Harvesting

Beyond 2FA theft, the extension harvests:

People CSV exports — Employee names, roles, emails, permission levels
Business Manager analytics — Ad spend, campaign performance, audience insights, revenue data

Exfiltration

All stolen data is sent to:

getauth[.]pro — Purpose-built C2 domain for 2FA seeds and business data
Telegram channel — Real-time attacker notifications when new data is captured

Why This Is Dangerous

Meta Business Manager accounts often control large advertising budgets (sometimes millions of dollars), company pages with significant followings, and customer data from lead generation campaigns. Account takeover can lead to unauthorized ad spend, brand damage, and data breaches.

Software-based TOTP is vulnerable when the seed can be intercepted at the browser level — this extension demonstrates that browser extensions operate at a privileged level that can observe and modify any web page content.

Protection Recommendations

Audit Chrome extensions — Review all installed extensions in chrome://extensions
Use hardware security keys — FIDO2/WebAuthn keys (YubiKey, Titan Key) are immune to seed theft
Implement extension allowlisting via Chrome enterprise policies
Rotate 2FA seeds — If you suspect compromise, disable and re-enable 2FA
Review Meta Business access — Check the "People" section for unauthorized users
Separate browsing profiles — Use a dedicated profile for business account management
Monitor network traffic — Block connections to getauth[.]pro

Sources

Chrome Extension Targets Meta Business Accounts

Attack Overview

Attribute	Details
Extension Name	CL Suite
Target	Meta Business Manager users
Data Stolen	TOTP 2FA seeds/codes, Business "People" CSV exports, Business Manager analytics
Exfiltration Endpoints	getauth[.]pro, Telegram channel
Impact	Complete 2FA bypass, business account takeover

How It Works

TOTP 2FA Seed Theft

The most dangerous capability is intercepting TOTP seeds during 2FA setup or re-authentication:

The extension monitors page content for TOTP seed values
Intercepts QR code data or secret key during setup
Exfiltrates the seed to attacker infrastructure

With the TOTP seed, attackers can generate valid 2FA codes at will, completely bypassing two-factor authentication.

Meta Business Data Harvesting

Beyond 2FA theft, the extension harvests:

People CSV exports — Employee names, roles, emails, permission levels
Business Manager analytics — Ad spend, campaign performance, audience insights, revenue data

Exfiltration

All stolen data is sent to:

getauth[.]pro — Purpose-built C2 domain for 2FA seeds and business data
Telegram channel — Real-time attacker notifications when new data is captured

Why This Is Dangerous

Protection Recommendations

Audit Chrome extensions — Review all installed extensions in chrome://extensions
Use hardware security keys — FIDO2/WebAuthn keys (YubiKey, Titan Key) are immune to seed theft
Implement extension allowlisting via Chrome enterprise policies
Rotate 2FA seeds — If you suspect compromise, disable and re-enable 2FA
Review Meta Business access — Check the "People" section for unauthorized users
Separate browsing profiles — Use a dedicated profile for business account management
Monitor network traffic — Block connections to getauth[.]pro

Malicious Chrome Extension 'CL Suite' Steals Meta Business

Chrome Extension Targets Meta Business Accounts

Attack Overview

How It Works

TOTP 2FA Seed Theft

Meta Business Data Harvesting

Exfiltration

Why This Is Dangerous

Protection Recommendations

Sources

WhatsApp Phishing Attack Uses Fake Business Docs to Hack PCs

Hola Browser for Windows Compromised to Deliver Cryptominer

Hackers Used Meta's AI Support Bot to Seize Instagram Accounts

Malicious Chrome Extension 'CL Suite' Steals Meta Business

Chrome Extension Targets Meta Business Accounts

Attack Overview

How It Works

TOTP 2FA Seed Theft

Meta Business Data Harvesting

Exfiltration

Why This Is Dangerous

Protection Recommendations

Sources

WhatsApp Phishing Attack Uses Fake Business Docs to Hack PCs

Hola Browser for Windows Compromised to Deliver Cryptominer

Hackers Used Meta's AI Support Bot to Seize Instagram Accounts

Chrome Extension Targets Meta Business Accounts

Attack Overview

How It Works

TOTP 2FA Seed Theft

Meta Business Data Harvesting

Exfiltration

Why This Is Dangerous

Protection Recommendations

Sources

Related Reading

Chrome Extension Targets Meta Business Accounts

Attack Overview

How It Works

TOTP 2FA Seed Theft

Meta Business Data Harvesting

Exfiltration

Why This Is Dangerous

Protection Recommendations

Sources

Related Reading