A massive, coordinated network of 152 malicious Google Chrome browser extensions has been dismantled after researchers caught the operation generating fake organic Google search traffic.
Socket’s Threat Research Team discovered the operation spanning 38 separate Chrome Web Store publisher accounts and tracing back to three primary brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com.
Disguised as benign “live wallpaper” new-tab extensions, this malicious cluster amassed approximately 105,000 installs from unsuspecting users. Despite every Chrome Web Store listing explicitly declaring that no user data is collected, the extensions aggressively harvest telemetry in the background.
Chrome Extensions Manipulate Google Search
The operator’s external privacy policy contradicts the store listings, admitting to logging IP addresses, Internet Service Provider (ISP) data, click counts, and referrer data, Socket said.
This harvested telemetry is openly shared with Google AdSense, DoubleClick, and unnamed third-party advertising partners, which constitutes a severe violation of developer policies and may result in permanent account suspensions.
The network’s most sophisticated abuse is concentrated across 54 extensions that utilize the TabPlugins brand template. The malicious behavior originates within the extension’s service worker (js/bg.js), which executes hardcoded URLs during installation and uninstallation events.
Upon installation, the extension forces a new tab to open to a tabplugins[.]com landing page appended with utm_source=google&utm_medium=organic parameters. This mechanism tricks analytics platforms into registering the automated software hit as a legitimate user arriving via Google organic search.
Uninstallation triggers an even stealthier cloaking mechanism built to fool attribution systems. The extension’s setUninstallURL function fires a google.com/url wrapper that successfully reproduces Google’s signed ved and usg redirect tokens.
This outbound ping masquerades as a human clicking a legitimate Google Search Engine Results Page (SERP) link.
By laundering software-generated pings into premium organic demand signals, the operators effectively pollute attribution data for their own analytics, partnered ad measurement platforms, and Google itself.
Takedown resistance and evasion are core operational components of this malicious campaign. Every analyzed extension contains an identical anti-forensic routine embedded within bg.js that initiates a deleteDatabase() loop across all IndexedDB databases on service worker startup.
Socket stated that while current iterations store state data in localStorage rendering this specific wipe functionally useless for the extension itself, its verbatim presence across 141 extensions serves as a highly reliable behavioral fingerprint.
To prevent a single takedown report from causing total network disruption, the threat actors distributed identical templates across 38 isolated publisher accounts. The backend infrastructure is further divided into separate Cloudflare accounts and hosting providers.
This operational structure suggests the involvement of multiple coordinated teams driving forced traffic to ad-monetized brand pages via a live Prebid header-bidding stack connected to Google Ad Manager and AppNexus.
Indicators of Compromise (IOCs)
| IOC Type | Value | Why It Matters |
|---|---|---|
| Domain | tabplugins[.]com | Primary brand backend; source of forged Google attribution and ad funnel traffic. |
| Domain | yowgames[.]com | Secondary brand backend; 19 extensions routing undisclosed telemetry. |
| Domain | chromewallpaper[.]com | Third brand backend; HTTP 301 redirector to owhit[.]com. |
| Domain | owhit[.]com | Final redirect destination: AdSense-monetized landing page. |
| IP Address | 147[.]79[.]120[.]202 | tabplugins[.]com origin server on Hostinger; direct C2 contact point. |
| IP Address | 92[.]112[.]198[.]22 | Secondary tabplugins[.]com origin server on Hostinger. |
| URL Pattern | utm_source=google&utm_medium=organic | Forged organic attribution in install ping; key detection signal in network logs. |
| URL Pattern | google.com/url?sa=t&source=web&...ved=...&usg=... | Cloaked uninstall redirect pointing to tabplugins[.]com disguised as a real Google SERP click. |
| Console String | Deleted IndexedDB database: | Family-wide fingerprint present in 100% of analyzed extensions; most reliable hunt signal in the extension service worker. |
| Script Pattern | indexedDB.databases().then(dbs => { dbs.forEach(db => { indexedDB.deleteDatabase(db.name) }) }) | Anti-forensic wipe loop inside bg.js; definitive behavioral IOC for EDR and extension security tooling. |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
End-users must immediately remove any new-tab wallpaper extensions originating from the identified malicious domains and manually verify their default search engine settings.
Security operations teams should avoid relying on easily rotated extension IDs and instead proactively hunt for the behavioral fingerprints outlined above. Key endpoint detection signals include the IndexedDB enumerate-delete loop, setUninstallURL functions pointing to Google URL wrappers, and onInstalled handlers initiating forced organic parameter tabs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
