The Zimperium zLabs team recently discovered a malicious browser extension, originally called Cloud9, which not only steals the information available during the browser session but can also install malware on a user’s device and subsequently assume control of the entire device.
The extension, Cloud9, was never found on any official browser extension store; instead relying on distribution most commonly through side-loading fake executables and malicious websites disguised as Adobe Flash Player updates.
Cloud9 acts like a remote access trojan (RAT) with many functionalities. It’s built to steal cookies and other info, mine cryptocurrency, install malware, or take over the entire device for use in a distributed denial-of-service (DDoS) attack — among other things.
https://www.zimperium.com/blog/the-case-of-cloud9-chrome-botnet/