QuickLens and ShotBird malicious Chrome extension update chain
Malware Activity
Summary
Hide ▲
Show ▼
The QuickLens and ShotBird Chrome extensions have become malicious after ownership transfer, turning trusted add-ons into a delivery path for code injection and data theft. Their payloads used C2-delivered JavaScript and a hidden browser execution path, while ShotBird also pushed a fake Chrome update lure that led Windows users to launch googleupdate.exe. The result is credential capture, browser-data siphoning, and host-level script execution on affected systems.
Related Happenings
Chromium JavaScript background RCE flaw
Vulnerability
First: 21.05.2026 21:13
Last: 21.05.2026 21:13
Sources 1
About this happening:
The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chromium JavaScript background RCE flaw
VulnerabilityAbout this happening: The unfixed **Chromium** flaw keeps **JavaScript** running after the browser is closed, creating **remote code execution** risk across **Chromium-based browsers**. A malicious sit...
Chrome Web Store malicious extensions coordinated campaign using shared C2
Campaign
First: 14.04.2026 23:33
Last: 14.04.2026 23:33
Sources 1
About this happening:
A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
Chrome Web Store malicious extensions coordinated campaign using shared C2
CampaignAbout this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...
108 Malicious Chrome extension campaign
Campaign
First: 14.04.2026 14:30
Last: 14.04.2026 14:30
Sources 1
About this happening:
A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Chrome extension campaign
CampaignAbout this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/Service
First: 09.04.2026 21:33
Last: 09.04.2026 21:33
Sources 1
About this happening:
Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Google Chrome 146 adds Device Bound Session Credentials to block session-cookie theft
Security Tool/ServiceAbout this happening: Google has rolled out **Device Bound Session Credentials (DBSC)** in **Chrome 146 for Windows**, binding sessions to device hardware to blunt **infostealer malware** that steals s...
Timeline
-
09.03.2026 12:28 1 articles · 2mo ago
QuickLens listed for sale
Campaign Scope UpdateQuickLens is listed for sale on ExtensionHub by [email protected], creating an early supply-chain transfer point for the Chrome extension later implicated in malicious updates.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 1 articles · 2mo ago
QuickLens owner transfer
Campaign Scope UpdateThe QuickLens Chrome Web Store listing changes owner to [email protected], aligning the extension with a new account before the later malicious payload update.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 1 articles · 2mo ago
QuickLens malicious update
Technical Analysis UpdateQuickLens receives a malicious update that keeps the original functionality but strips security headers such as X-Frame-Options from HTTP responses, bypasses CSP, fingerprints the user environment, polls a C2 every five minutes, stores delivered JavaScript in browser local storage, and executes it at page load through a hidden 1×1 GIF <img> onload handler.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
-
09.03.2026 12:28 2 articles · 2mo ago
QuickLens and ShotBird disclosure
Initial DisclosureResearchers publicly describe QuickLens and ShotBird as malicious Chrome extensions after ownership transfer, highlighting C2-delivered JavaScript, ClickFix-style fake Chrome update lures, browser-data capture, and host-side script execution via googleupdate.exe on Windows hosts.
Show sources
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28
- Chrome Extension Turns Malicious After Ownership Transfer, Enabling Code Injection and Data Theft — thehackernews.com — 09.03.2026 12:28