A coordinated campaign of 23 deceptive Chrome browser extensions has been quietly stealing users’ search queries and routing them through hidden revenue systems.
The operation, now dubbed SearchJack, has affected roughly 758,000 Chrome users worldwide without any of them realizing their searches were being hijacked.
Each extension presents itself as a useful tool, from satellite maps to productivity apps, while silently running a different operation in the background.
The way these extensions work is straightforward but difficult to detect. Once installed, they override the browser’s default search engine using a built-in Chrome feature called chrome_settings_overrides.
When a user types a query, it passes through operator-controlled relay servers before landing on a results page. The user sees what looks like a normal search, but every query has already passed through a monetization layer they never agreed to.
Researchers at MalExt Sentry identified the campaign using their automated scanning system, which monitors Chrome extension listings for suspicious activity.
According to MalExt Sentry’s report shared with Cyber Security News (CSN), MalExt Sentry said the scanner specifically flagged extensions abusing the chrome_settings_overrides manifest key to take over search settings.
The team traced at least eight distinct affiliate brokers, each identified by a unique tracking parameter in the final Yahoo redirect URL.
What makes SearchJack hard to spot is the gap between what extensions claim and what they actually do. One extension, Nautilus Search, tells users in its store listing that it never tracks searches or collects personal data.
Yet the linked privacy policy explicitly discloses collection of IP addresses, search queries, and device identifiers.
That is not an oversight. It is a direct false claim, potentially actionable under both GDPR and FTC frameworks. The scale of this campaign raises concerns beyond misleading store descriptions.
Since the operators control where search traffic flows, they can quietly switch from delivering normal results to serving phishing pages or malicious downloads without ever pushing an update to the extension.
That ability to escalate harm without touching the code is what elevates SearchJack from adware to a genuine security risk.
SearchJack Campaign Uses 23 Chrome Extensions
The technical backbone of SearchJack is built on a layered redirect system designed to stay completely invisible.
Most extensions are what researchers call shell extensions, containing almost nothing beyond the manifest file that sets the new default search engine.
There is no background script, no permission request, and no visible signal that anything unusual is happening. The same structural template appears across multiple extensions, with only the domain and icon swapped out.
A smaller group adds fake functionality, such as a basic maps viewer or video library, to pass store review and make the install feel legitimate.
These features are barely functional but enough to avoid automated removal. One extension, Search Toggler, shows users an interface that appears to let them switch between search engines.
In practice, all queries still pass through the operator’s server regardless of selection, and the actual routing logic is only injected at runtime, making it invisible to standard analysis tools.
The Broker Network Enabling the Campaign
Behind every extension sits a broker holding a revenue-sharing agreement with Yahoo’s search affiliate program, collecting a cut each time a user searches. The campaign spans eight such brokers, with the largest block tied to an unidentified operator.
Some brokers, like Becovi Ltd based in Dublin, are at least partially traceable. Others have no verifiable identity, making accountability nearly impossible.
One unusual case involves Fusebase Search, published under a legitimate company name, showing 609 reviews against only 490 current installs.
That ratio is mathematically impossible under normal conditions and points to either review manipulation or a prior policy violation that reset the install count.
Researchers recommend enforcement action at the broker level rather than targeting individual extensions, since extensions are disposable but affiliate accounts are not.
Users should audit their installed extensions, remove anything unfamiliar, and manually reset their default search engine in Chrome settings.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | myperfecttab[.]com | PerfecTab Search redirect domain |
| Domain | query.quicksearchtool[.]com | Quick Search Tool redirect domain |
| Domain | search.getbettersearch-api[.]com | Better Search redirect domain |
| Domain | newtab[.]club | NewTab.Search redirect domain |
| Domain | nautilus-notes[.]com | Nautilus Search redirect domain |
| Domain | earthapp[.]net | Earth extension redirect domain (infospace broker) |
| Domain | wanderlustar[.]com | Wanderlustar redirect domain |
| Domain | services.templatesearchsvc[.]org | Template Search redirect domain |
| Domain | earth3d[.]net | Earth 3D redirect domain (infospace broker) |
| Domain | myfocalfind[.]com | My Focal Find redirect domain |
| Domain | greatstartapp[.]com | Great Start redirect domain (becovi broker) |
| Domain | freshfruittab[.]com | Fresh Fruit Search redirect domain |
| Domain | viewmenuprices[.]com | View Menu with Prices redirect domain (infospace broker) |
| Domain | searchtoggler[.]com | Search Toggler operator domain |
| Domain | loginonlineapp[.]com | Easy Login redirect domain (infospace broker) |
| Domain | seek.searchthatweb[.]com | SearchThatWeb redirect domain |
| Domain | search.freshysearchapi[.]net | Freshy Search redirect domain (trp broker) |
| Domain | myvideolibrary[.]info | Video Search Extension redirect domain |
| Domain | bestfreemaps[.]com | Get Maps & Driving Directions + Satelliten Earth redirect domain |
| Domain | searchanything[.]co | Search Anything redirect domain (mnet broker) |
| Domain | oasrchrdr[.]com | Surfer Search redirect domain (fc broker) |
| Domain | s.fusebasesearch[.]com | Fusebase Search redirect domain (dcola broker) |
| Domain | worthathousandwords[.]com | Search Toggler contact email domain |
| Extension ID | hohedjmdoemgcpgdapepfhnilbedldnm | PerfecTab Search (Chrome Extension ID) |
| Extension ID | keadechokmcohlcampccppbjjeabghcd | Quick Search Tool (Chrome Extension ID) |
| Extension ID | epdmngmgidehpmhjamdjcaecpligmcfh | Better Search (Chrome Extension ID) |
| Extension ID | pookachmhghnpgjhebhilcidgdphdlhi | NewTab.Search (Chrome Extension ID) |
| Extension ID | flcaigefphghbcgbmfngbfdgipdflfpn | Nautilus Search (Chrome Extension ID) |
| Extension ID | hnfdneofpohlkoeljnmkdocokcdk jiaa | Earth (Chrome Extension ID) |
| Extension ID | bgliakflmjnofiolfmnbncdmgfnibgnj | Wanderlustar (Chrome Extension ID) |
| Extension ID | cnkcgoiimpncbonlilkekbigfhchcbgb | Template Search (Chrome Extension ID) |
| Extension ID | kbobdmmjbaljcombpliahadgoafgohcd | Earth 3D (Chrome Extension ID) |
| Extension ID | eeejfmalgedffijdepcdmgemfnadjefe | My Focal Find (Chrome Extension ID) |
| Extension ID | mccmkaicbneobeclkbloeoopcfeipmio | Great Start (Chrome Extension ID) |
| Extension ID | jeookppofphgjnhjkifeejcmjbpiogka | Fresh Fruit Search (Chrome Extension ID) |
| Extension ID | ijbmkpeacbkgpfkomjbionjgdhbmlpfp | View Menu with Prices (Chrome Extension ID) |
| Extension ID | hodgcolihbmeagfcfpdfpnapfflmpbkb | Search Toggler (Chrome Extension ID) |
| Extension ID | cpmjnpalighpdecgankobogpcmbceaig | Easy Login (Chrome Extension ID) |
| Extension ID | akimdaijebpdfo jiohhimbebkdigkccj | SearchThatWeb (Chrome Extension ID) |
| Extension ID | oikgbpcmdphfkhplgkfngjilemlo lann | Freshy Search (Chrome Extension ID) |
| Extension ID | efakcomgmimcekdejnoafmmbgnpdhdfm | Video Search Extension (Chrome Extension ID) |
| Extension ID | gmapdckphdmbafmmcfoahhgoogdjeell | Get Maps & Driving Directions (Chrome Extension ID) |
| Extension ID | odafhekandnacimkenmaagnoemnpaakk | Search Anything (Chrome Extension ID) |
| Extension ID | jgoihmjphghpnjedflgemmhjdaogimad | Satelliten Earth (Chrome Extension ID) |
| Extension ID | dllhnjhfilgcjopkgdekmdmfilpfceig | Surfer Search (Chrome Extension ID) |
| Extension ID | ododhdcefemfdbnidbeipjpjaehadjen | Fusebase Search (Chrome Extension ID) |
| URL Parameter | hspart=trp | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=infospace | Broker tracking parameter — System1 |
| URL Parameter | hspart=flowsurf | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=adk | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=becovi | Broker tracking parameter — Becovi Ltd, Dublin |
| URL Parameter | hspart=imageadvan | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=mnet | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=fc | Broker tracking parameter — unknown operator |
| URL Parameter | hspart=dcola | Broker tracking parameter — unknown operator |
| edgarlife1980[@]gmail[.]com | Publisher account for Earth 3D extension |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
