Chrome extension PUP distribution network with fake organic traffic
Malware Activity
Summary
Hide ▲
Show ▼
A network of 152 Google Chrome extensions is distributing a potentially unwanted program (PUP) family through new-tab live-wallpaper add-ons, creating a broad browser-based adware risk across 105,000 installs. The cluster spans 38 Chrome Web Store publisher accounts and three brand backends, including tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. The linked privacy policy admits logging IP addresses, ISP, click counts, and referrers and sharing them with Google AdSense, DoubleClick, and third-party ad partners, despite store listings denying user-data collection. A sub-cluster also uses hard-coded install and uninstall URLs in js/bg.js to manufacture apparent Google organic search traffic and includes dormant logic to delete IndexedDB databases.
Related Happenings
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
How related:
The campaign is assessed to be a "financially motivated commercial adware and traffic-attribution-fraud affiliate operation," although its exact provenance remains unknown.
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaHow related: The campaign is assessed to be a "financially motivated commercial adware and traffic-attribution-fraud affiliate operation," although its exact provenance remains unknown.
About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score41
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Fake AI assistant Chrome extension malware activity
Malware Activity
H score21
First: 16.02.2026 16:00
Last: 16.02.2026 16:00
Sources 1
About this happening:
A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...
Fake AI assistant Chrome extension malware activity
Malware ActivityAbout this happening: A cluster of **30 malicious Chrome extensions** posing as **AI assistants** is stealing **email content** and other sensitive data from **Chrome users**, creating a broad browser-...
Lumma Stealer and trojanized Ninja Browser malware activity
Malware Activity
H score21
First: 15.02.2026 18:30
Last: 15.02.2026 18:30
Sources 1
About this happening:
A **Lumma Stealer** and **Ninja Browser** malware activity was identified in **February 2026**, creating a cross-platform risk to **Windows** and **Linux** browser sessions. The W...
Lumma Stealer and trojanized Ninja Browser malware activity
Malware ActivityAbout this happening: A **Lumma Stealer** and **Ninja Browser** malware activity was identified in **February 2026**, creating a cross-platform risk to **Windows** and **Linux** browser sessions. The W...
CL Suite Chrome extension stealing Meta Business data
Malware Activity
H score21
First: 13.02.2026 13:25
Last: 13.02.2026 13:25
Sources 1
About this happening:
The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
CL Suite Chrome extension stealing Meta Business data
Malware ActivityAbout this happening: The **CL Suite** Chrome extension is exfiltrating **TOTP seeds**, **current 2FA codes**, and **Meta Business** data from **Meta Business Suite** and **Facebook Business Manager**...
Timeline
-
15.06.2026 14:07 2 articles · 3h ago
152 Chrome wallpaper extensions distribute a PUP family and fake Google traffic
Initial DisclosureResearchers uncovered a network of 152 Google Chrome extensions posing as live-wallpaper new-tab add-ons and tied them to a potentially unwanted program family, adware, and traffic-attribution fraud. The cluster spans 38 Chrome Web Store publisher accounts and three brand backends, including tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com, with a combined 105,000 installs. The linked privacy policy admits logging IP addresses, ISP, click counts, and referrers and sharing that data with Google AdSense, DoubleClick, and third-party ad partners, while js/bg.js uses hard-coded install and uninstall URLs to disguise extension-triggered tab opens as Google organic search and real Google Search clicks. The same JavaScript also includes dormant logic to enumerate and delete IndexedDB databases when a service worker starts.
Show sources
- 152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic — thehackernews.com — 15.06.2026 14:07
- 152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic — thehackernews.com — 15.06.2026 14:07