AiFrame malicious Chrome extension spraying operation
Malware Activity
Summary
Hide ▲
Show ▼
The AiFrame operation spread fake Chrome AI assistants that delivered malicious extensions, putting over 260,000 Google Chrome users at risk of credential theft, email monitoring, and remote access. The activity abused the appearance of legitimate productivity tools to gain trust inside the Chrome Web Store. Researchers linked more than 30 extensions to shared code, permissions, and backend infrastructure. The use of extension spraying helped the operation stay active after takedowns.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical Analysis
H score23
First: 25.06.2026 17:12
Last: 25.06.2026 17:12
Sources 1
About this happening:
A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Dormant remote-controlled JavaScript injection path in Adblock for YouTube Chrome extension
Technical AnalysisAbout this happening: A **Chrome extension** with **10 million+ installs** was found to carry a **dormant script-injection path**, raising the risk of **arbitrary JavaScript execution** across visited...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Timeline
-
13.02.2026 13:25 2 articles · 4mo ago
AiFrame malicious Chrome extension campaign disclosed
Initial DisclosureLayerX identified an AiFrame campaign in the Google Chrome Web Store in which fake AI assistants were used to distribute malicious Chrome extensions that could steal login credentials, monitor emails, enable remote access, and exfiltrate data from the Google Chrome Browser and Gmail. More than 30 extensions were linked to shared codebase, permissions, and backend infrastructure, including 'AI Assistant' posing as an Anthropic Claude AI extension and other imitations of ChatGPT, Grok, and Google Gemini. The campaign reached over 260,000 Google Chrome users, used extension spraying to stay active after takedowns, and routed users to remote infrastructure with a full-screen iframe to load malicious content away from the Chrome Web Store.
Show sources
- Fake AI Assistants in Google Chrome Web Store Steal Passwords and Spy on Emails — www.infosecurity-magazine.com — 13.02.2026 13:25
- Fake AI Assistants in Google Chrome Web Store Steal Passwords and Spy on Emails — www.infosecurity-magazine.com — 13.02.2026 13:25