A concerning cybersecurity trend has emerged as threat actors exploit the growing popularity of artificial intelligence tools by distributing malicious Chrome extensions masquerading as legitimate platforms.
These deceptive extensions target users seeking convenient access to popular services like ChatGPT, Claude, Perplexity, and Meta Llama, creating a significant security risk for unsuspecting individuals and organizations.
The malicious campaign represents a sophisticated evolution in browser-based attacks, leveraging the trust users place in mainstream browser extension stores and the widespread adoption of conversational intelligence platforms.
These fake extensions initially appear functional, allowing users to type prompts directly into the Chrome search bar, creating an illusion of legitimate functionality while secretly executing malicious operations in the background.
The threat has already demonstrated considerable reach and persistence, with previous iterations of similar campaigns affecting thousands of users.
Palo Alto Networks analysts identified this renewed activity as part of a broader trend targeting browser extension ecosystems, highlighting the attackers’ strategic shift toward exploiting emerging technology trends to maximize their success rates.
These malicious extensions operate through a carefully orchestrated infection mechanism that fundamentally compromises user browsing behavior and data security.
The extensions achieve persistence by exploiting Chrome’s chrome_settings_overrides manifest permission, which allows them to permanently alter the browser’s default search engine configuration without explicit user consent or awareness.
Technical implementation
The technical implementation involves redirecting all search queries to attacker-controlled domains including chatgptforchrome[.]com, dinershtein[.]com, and gen-ai-search[.]com.
This redirection mechanism effectively positions the malicious infrastructure as a man-in-the-middle, capturing sensitive user queries that may contain confidential information, personal data, or proprietary business intelligence.
The threat actors have identified eight specific extension identifiers in their current campaign: akfnjopjnnemejchppfpomhnejoiiini (Claude search), boofekcjiojcpcehaldjhjfhcienopme (previously reported ChatGPT extension), bpeheoocinjpbchkmddjdaiafjkgdgoi (ChatGPT for Chrome), ecimcibolpbgimkehmclafnifblhmkkb (Perplexity Search), jhhjbaicgmecddbaobeobkikgmfffaeg (Chat AI for Chrome), jijilhfkldabicahgkmgjgladmggnkpb (GenAISearch), lnjebiohklcphainmilcdoakkbjlkdpn (ChatGPT Search), and pjcfmnfappcoomegbhlaahhddnhnapeb (Meta Llama Search).
Distribution methods include sophisticated social engineering campaigns utilizing YouTube promotional content to entice installation, demonstrating the attackers’ understanding of modern digital marketing techniques and user acquisition strategies.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
