Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
First reported
Last updated
Happening score
H score 20
1 unique sources, 1 articles

Summary

Hide ▲

Researchers found a commercial adware and traffic-attribution-fraud affiliate operation abusing Chrome extensions to fabricate traffic signals and monetize installs, increasing fraud-enablement risk across the extension ecosystem. The network spans 38 publisher accounts, three brand backends, and 105,000 installs, showing coordinated distribution at meaningful scale.

Related Happenings

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

How related: Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially unwanted program (PUP) family.

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

Open Happening

Trapdoor Android malvertising and ad-fraud campaign

Campaign
H score39 First: 19.05.2026 19:38 Last: 19.05.2026 19:38 Sources 1

About this happening: The **Trapdoor** campaign is a **self-sustaining malvertising and ad-fraud operation** targeting **Android users** and turning app installs into revenue through threat-actor-contr...

Open Happening

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
H score40 First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score41 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
H score39 First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

Timeline

  1. 15.06.2026 14:07 2 articles · 3h ago

    Researchers uncover 152 Chrome wallpaper extensions tied to adware and fake traffic

    Initial Disclosure

    Researchers uncovered 152 Google Chrome extensions posing as live-wallpaper new-tab add-ons and linked them to a financially motivated commercial adware and traffic-attribution-fraud affiliate operation. The cluster spans 38 Chrome Web Store publisher accounts and three brand backends, with 105,000 installs, and the listings' privacy policies admit logging IP addresses, ISP, click counts, and referrers while sharing that data with Google AdSense, DoubleClick, and third-party ad partners. Some extensions also use hard-coded install and uninstall URLs in js/bg.js to disguise self-opened tabs as organic Google traffic and to make uninstall activity look like genuine Google Search clicks.

    Show sources
    Open in new tab