Listen to the episode
TLDR
A phishing email carrying an attachment that looks like a PDF actually drops a malicious Chrome extension designed to steal browser session cookies and take over your logged in accounts — even those protected by multi factor...
How it works
A phishing email carrying an attachment that looks like a PDF actually drops a malicious Chrome extension designed to steal browser session cookies and take over your logged in accounts — even those protected by multi factor...
Red flags
- Email attachment showing .pdf icon but whose real extension is .pfd.js (JavaScript) A new Chrome extension appearing that you did not install, often with a generic name like "Cloud" Unexpected Chrome policy changes or unknown processes spawning PowerShell after opening an attachment
What to do
- 1Verify the sender before opening any attachment and always inspect
Source
malwarebytes
Source reviewed by Mythos Forensic Team
https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accountsFAQ
Is Fake PDF attachment installs Chrome extension that steals session cookies and bypasses MFA a real scam pattern?
Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.
What are the first warning signs?
Email attachment showing .pdf icon but whose real extension is .pfd.js (JavaScript) A new Chrome extension appearing that you did not install, often with a generic name like "Cloud" Unexpected Chrome policy changes or unknown processes spawning PowerShell after opening an attachment
What should I do first?
Verify the sender before opening any attachment and always inspect
Can LegalAudit check my case?
Yes. Start a free chat and paste the message, link, sender, or payment details for triage.