As AI tools like ChatGPT, Claude, Gemini, and Grok gain mainstream adoption, cybercriminals are weaponizing their popularity to distribute malicious browser extensions.
Security researchers have uncovered a coordinated campaign involving 30 Chrome extensions that masquerade as legitimate AI assistants while secretly deploying dangerous surveillance capabilities affecting over 260,000 users.
The malicious extensions pose as AI-powered tools for summarization, chat assistance, writing help, and Gmail integration.
Despite appearing legitimate in the Chrome Web Store, where several were even featured as recommended tools, these extensions share identical underlying code, permissions, and backend infrastructure controlled through the tapnetic.pro domain.
Rather than implementing functionality locally, they embed remote server-controlled interfaces using privileged proxies that grant external servers access to sensitive browser capabilities.
Attack Architecture and Capabilities
The extensions operate through a sophisticated remote control mechanism. At their core, they inject full-screen iframes pointing to operator-controlled subdomains of tapnetic.pro, overlaying the user’s current webpage.
This architecture allows attackers to silently modify functionality and introduce new capabilities without requiring Chrome Web Store updates or triggering user notifications.
The malicious code extracts readable content from active browser tabs using Mozilla’s Readability library, capturing titles, text, excerpts, and metadata from any page users visit, including sensitive internal or authenticated pages.
Malicious Extensions List
| Extension ID | Extension Name | Installs |
|---|---|---|
| nlhpidbjmmffhoogcennoiopekbiglbp | AI Assistant | 50,000 |
| fppbiomdkfbhgjjdmojlogeceejinadg | Gemini AI Sidebar | 80,000 |
| gghdfkafnhfpaooiolhncejnlgglhkhe | AI Sidebar | 50,000 |
| acaeafediijmccnjlokgcdiojiljfpbe | ChatGPT Translate | 30,000 |
| kblengdlefjpjkekanpoidgoghdngdgl | AI GPT | 20,000 |
| llojfncgbabajmdglnkbhmiebiinohek | ChatGPT Sidebar | 10,000 |
| djhjckkfgancelbmgcamjimgphaphjdl | AI Sidebar | 9,000 |
| fdlagfnfaheppaigholhoojabfaapnhb | Google Gemini | 7,000 |
| pgfibniplgcnccdnkhblpmmlfodijppg | ChatGBT | 1,000 |
| gnaekhndaddbimfllbgmecjijbbfpabc | Ask Gemini | 1,000 |
| idhknpoceajhnjokpnbicildeoligdgh | ChatGPT Translation | 1,000 |
| fpmkabpaklbhbhegegapfkenkmpipick | Chat GPT for Gmail | 1,000 |
| gohgeedemmaohocbaccllpkabadoogpl | DeepSeek Chat | 1,000 |
| fnjinbdmidgjkpmlihcginjipjaoapol | Email Generator AI | 881 |
| ecikmpoikkcelnakpgaeplcjoickgacj | Ai Picture Generator | 813 |
| ebmmjmakencgmgoijdfnbailknaaiffh | Chat With Gemini | 760 |
This information flows directly to third-party servers outside user control. Additionally, the extensions implement voice recognition capabilities using the Web Speech API, enabling transcript collection when triggered remotely.
A particularly dangerous subset of 15 extensions specifically targets Gmail users. These variants inject dedicated content scripts that run at document start on mail.google.com, maintaining persistence through MutationObserver and periodic polling mechanisms.
They extract visible email content directly from Gmail’s DOM, including message threads and draft text, transmitting this data to external infrastructure beyond Gmail’s security boundary.
Campaign Tactics and Evasion
The operation employs “extension spraying” tactics to evade detection and takedowns. When one extension is removed, others remain available or are quickly republished under new identities.
Layerx Security Researchers observed this behavior directly when extension fppbiomdkfbhgjjdmojlogeceejinadg was removed on February 6, 2025, only to be republished under a new ID (gghdfkafnhfpaooiolhncejnlgglhkhe) on February 20, 2025, with identical code and infrastructure.
The tapnetic.pro domain presents a legitimate-appearing website with generic marketing content, though no actual features or services function.
This provides cover infrastructure lending credibility while real malicious activity occurs through extension-controlled subdomains.
Each extension communicates with dedicated subdomains themed to match impersonated AI products, providing logical separation and easier rotation if individual backends are blocked.
Security experts warn that these extensions fundamentally break the browser security model by transforming into general-purpose access brokers capable of harvesting data, monitoring behavior, and evolving silently.
As generative AI popularity continues growing, defenders should expect similar campaigns to proliferate and treat extensions delegating core functionality to remote infrastructure as potential surveillance platforms rather than productivity tools.
Infrastructure IOCs
| Indicator Type | Value |
|---|---|
| C&C Domain | tapnetic[.]pro |
| C&C Domain | onlineapp[.]pro |
| Subdomain | claude.tapnetic.pro |
| Subdomain | chatgpt.tapnetic.pro |
| Subdomain | gemini.tapnetic.pro |
Attack Techniques (MITRE ATT&CK)
| Tactic | Technique |
|---|---|
| Resource Development | LX2.003(T1583) – Acquire Infrastructure |
| Initial Access | LX3.004 (T1189) – Drive-by Compromise |
| Initial Access | LX3.003 (T1199) – Trusted Relationship |
| Execution | LX4.003 – Script Execution |
| Defense Evasion | LX7.011 (T1036) – Masquerading |
| Credential Access | LX8.007(T1557) – Adversary-in-the-Middle |
| Collection | LX10.012 – Web Communication Data Collection |
| Collection | LX10.005 – Collect User’s Information |
| Command and Control | LX11.004 – Establish Network Connection |
| Command and Control | LX11.005 – Web Service-Based C2 |
| Exfiltration | LX12.001 – Data Exfiltration |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google
