Malware News Fake AI Assistant Extensions Targeting 260,000 Chrome Users via injected iframes

[nicolaasjan]

Content source

https://layerxsecurity.com/blog/aiframe-fake-ai-assistant-extensions-targeting-260000-chrome-users-via-injected-iframes/

As generative AI tools like ChatGPT, Claude, Gemini, and Grok become part of everyday workflows, attackers are increasingly exploiting their popularity to distribute malicious browser extensions.

In this research, we uncovered a coordinated campaign of Chrome extensions posing as AI assistants for summarization, chat, writing, and Gmail assistance. While these tools appear legitimate on the surface, they hide a dangerous architecture: instead of implementing core functionality locally, they embed remote, server-controlled interfaces inside extension-controlled surfaces and act as privileged proxies, granting remote infrastructure access to sensitive browser capabilities.

Across 30 different Chrome extensions, published under different names and extension IDs and affecting over 260,000 users, we observed the same underlying codebase, permissions, and backend infrastructure.

Critically, because a significant portion of each extension’s functionality is delivered through remotely hosted components, their runtime behavior is determined by external server-side changes, rather than by code reviewed at install time in the Chrome Web Store.

Campaign Structure and Impact

The campaign consists of multiple Chrome extensions that appear independent, each with different names, branding, and extension IDs. In reality, all identified extensions share the same internal structure, JavaScript logic, permissions, and backend infrastructure.

Across 30 extensions impacting more than 260,000 users, the activity represents a single coordinated operation rather than separate tools. Notably, several of the extensions in this campaign were Featured by the Chrome Web Store, increasing their perceived legitimacy and exposure.

This technique commonly known as extension spraying, is used to evade takedowns and reputation-based defenses. When one extension is removed, others remain available or are quickly re-published under new identities. Although the extensions impersonate different AI assistants (Claude, ChatGPT, Gemini, Grok, and generic “AI Gmail” tools), they all serve as entry points into the same backend-controlled system.

The Register found that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 users as of publication.

 

[Bot]

The Register found that the re-uploaded extension (gghdfkafnhfpaooiolhncejnlgglhkhe) is now listed with 70,000 users as of publication.

What you quoted describes a common and effective Chrome-extension abuse pattern: “legit-looking” productivity/AI helpers that mainly act as a privileged bridge between your browser and a remote server, so the extension’s behavior can change after install without the Web Store package materially changing.

Why this architecture is dangerous

• Remote-controlled behavior: if most UI/logic is delivered from a server (embedded pages, remote “app” inside the extension), the risk isn’t just what you installed—it’s what the operator serves later.
• Privilege escalation via permissions: even if the remote page is “just a UI,” the extension can expose sensitive capabilities to it (tabs, content scripts, cookies, clipboard, downloads, web requests, reading page content, etc.).
• “Extension spraying” persistence: many near-identical extensions with different names/IDs means takedowns and reputation signals are easier to evade.
• False trust signals: “Featured” placement (if accurate at the time) can reduce user skepticism and increase install volume.

Practical steps for users (low-risk, high-value)

• Remove suspicious AI-related extensions you don’t absolutely need (especially “summarizer / writer / Gmail assistant” types).
• Check for unexpected permissions on extensions you keep (Chrome → Extensions → Details). Be cautious with broad access like “Read and change all your data on all websites,” “Manage your downloads,” “Read your browsing history,” or anything touching mail sites.
• Revoke sessions/tokens for accounts used while the extension was installed:
  • Google Account → Security → “Your devices” / “Recent security activity”
  • Google Account → Security → “Third-party access” (remove anything you don’t recognize)
• Change passwords if you suspect credential capture, and enable/verify 2FA (prefer an authenticator app or passkeys).
• Review Gmail forwarding/filters (attackers commonly add hidden forwarding rules): Gmail Settings → See all settings → Filters and Blocked Addresses / Forwarding and POP/IMAP.
• Run reputable on-demand scans on the PC (this won’t “clean” the browser itself, but it helps rule out additional payloads). Common choices: Microsoft Defender (full scan) plus a second-opinion scanner like Malwarebytes or ESET Online Scanner.
• Reset Chrome settings (optional but reasonable if browser behavior changed): chrome://settings/reset (note: this won’t always remove all extension side effects, but can help with hijacked search/startup).

Practical steps for admins / power users

• Block/allowlist extensions by ID using Chrome Enterprise policies (ExtensionSettings / blocklist) to prevent re-installation.
• Disable “developer mode” extension installs where feasible and restrict local sideloading.
• Monitor for risky permissions at scale (tabs + scripting + host permissions to “all sites” is a common red flag combination).
• Treat “remote UI” extensions as high risk unless the vendor is well-known and you have a business need.

Per your note: the “70,000 users” figure is time-sensitive and reflects what The Register reported as of publication on February 12, 2026; it can change quickly after removals/reuploads.

Sources

• 30+ Chrome extensions disguised as AI chatbots steal secrets

 

[Halp2001]

What used to be an invasive toolbar now dresses up as a smart proxy. Tech fashion doesn’t change the essence of deception, only the disguise: the trick remains the same, just wrapped in AI clothing and shiny modern flair.

 

[Divergent]

Technical Analysis & Remediation

MITRE ATT&CK Mapping

T1176
Browser Extensions

T1556.003
Modify Authentication Process: Browser Extensions

T1557
Adversary-in-the-Middle (AiTM)

T1048
Exfiltration Over Alternative Protocol

CVE Profile
NVD Score: N/A (Architecture Abuse) | CISA KEV Status: Inactive

Telemetry

Domains
hxxps://tapnetic[.]pro

Constraint
The payload structure resembles a centralized access broker framework. By utilizing full-screen remote iframes combined with privileged API bridges, it allows attackers to silently introduce new capabilities and monitor user behavior without requiring a Chrome Web Store update.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response for potential enterprise data exposure, focusing on API keys, corporate Gmail accounts, and SaaS credentials accessed via Google Chrome.

DETECT (DE) – Monitoring & Analysis

Command
Query endpoint telemetry (e.g., EDR, Chrome Enterprise management) for rogue extension installations or DNS requests resolving to tapnetic[.]pro.

RESPOND (RS) – Mitigation & Containment

Command
Force-remove the identified malicious extensions across all managed Chrome profiles via Google Workspace or Active Directory Group Policy.

RECOVER (RC) – Restoration & Trust

Command
Revoke and rotate all active web session cookies and API keys (especially OpenAI, Anthropic, and Google Workspace tokens) for users identified as compromised.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Restrict Chrome extension installation to an explicit corporate allowlist to prevent future "extension spraying" tactics.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately to sever the connection between the malicious iframe and the threat actor's command and control server.

Command
Do not log into banking/email until verified clean. Open Chrome without a network connection and remove any recently installed "AI Assistant" extensions.

Priority 2: Identity

Command
Reset passwords and revoke active login sessions (specifically Google/Gmail and AI platform accounts) using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check Scheduled Tasks, Startup Folders, and Browser Extensions. Manually verify that no residual rogue extensions remain in chrome://extensions.

Hardening & References

Baseline
CIS Benchmarks for Google Chrome (Extension Allowlisting).

Framework
NIST CSF 2.0 (PR.DS, DE.CM) / SP 800-61r3.

Source

LayerX Security

The Hacker News