Skip to content
.ca
sign in
7 minhigh

That AI Extension Helping You Write Emails? It’s Reading Them First

Unit 42 identified 18 high-risk browser extensions masquerading as GenAI productivity tools that function as remote access Trojans, infostealers, and spyware. These extensions exploit browser permissions to intercept API keys, exfiltrate DOM content, establish persistent WebSocket C2 channels, and dynamically route traffic via malicious proxy configurations.

Conf:highAnalyzed:2026-05-01reports

Authors: Unit 42

Actors10xprofit affiliate hijacking campaign
Browser ExtensionsGenAISpywareInfostealerRAT

Source:Palo Alto Networks

IOCs · 27

Detection / Hunter

What Happened

Security researchers found 18 malicious web browser extensions that pretend to be helpful AI productivity tools. Anyone using Google Chrome or similar browsers who installed these extensions is affected. Instead of helping, these tools secretly steal sensitive information like passwords, read your emails as you type them, and track your web searches, putting personal and company data at severe risk. Users should remove these extensions immediately, change any exposed passwords or API keys, and only install extensions from highly trusted sources.

Key Takeaways

  • 18 malicious Chrome extensions disguised as GenAI productivity tools were discovered delivering RATs, infostealers, and spyware.
  • Extensions utilize advanced client-side techniques like WebSocket C2 channels, DOM-based exfiltration, and dynamic proxy configurations.
  • Threat actors are leveraging LLMs to accelerate malware production, evidenced by AI-generated code fingerprints in campaigns like 10xprofit.
  • Extensions target sensitive AI interactions, intercepting API keys (OpenAI, Gemini, Claude), proprietary prompts, and session credentials.

Affected Systems

  • Google Chrome
  • Chromium-based browsers
  • AI API users (OpenAI, Gemini, Claude)

Attack Chain

Users are lured into installing malicious Chrome extensions disguised as GenAI productivity tools. Upon installation, the extensions abuse granted permissions (like <all_urls>, webRequest, and debugger) to inject content scripts and monitor browser activity. They establish persistence via cross-storage mechanisms (syncing cookies and local storage) and WebSocket C2 channels. Finally, the extensions exfiltrate sensitive data such as AI API keys, email contents via DOM observation, and search queries, or execute arbitrary JavaScript to act as a remote access Trojan.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.) but lists IOCs and behavioral patterns for hunting.

Detection Engineering Assessment

EDR Visibility: Low — Browser extensions operate entirely within the browser's trusted process memory space, making their internal JavaScript execution and DOM manipulation largely invisible to standard EDR process monitoring. Network Visibility: Medium — Network tools can detect connections to known malicious C2 domains, WebSocket traffic anomalies, or unexpected proxy configurations, though HTTPS encryption obscures the payload. Detection Difficulty: Hard — Malicious extensions blend in with legitimate browser traffic and leverage native browser APIs, requiring specialized browser-level monitoring or strict extension allowlisting to detect effectively.

Required Log Sources

  • Browser extension logs
  • DNS query logs
  • Web proxy logs
  • Network flow logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for unexpected WebSocket connections originating from the browser process to uncategorized or low-reputation domains, indicating potential extension C2 channels.Network flow logs, Web proxy logsCommand and ControlMedium (Legitimate web apps use WebSockets)
Identify browser processes fetching Proxy Auto-Configuration (PAC) scripts from external, non-corporate domains.Web proxy logs, DNS query logsDefense EvasionLow (Corporate PAC scripts are usually hosted internally)
Monitor for HTTP headers containing 'x-openai-key', 'x-gemini-key', or 'x-claude-key' being sent to non-standard API endpoints.Web proxy logs (if SSL inspection is enabled)Credential AccessLow

Control Gaps

  • Lack of enterprise browser extension management
  • Inability to inspect DOM-level data access
  • Blind spots in EDR for in-browser JavaScript execution

Key Behavioral Indicators

  • Extensions requesting excessive permissions (debugger, proxy, <all_urls>)
  • Use of chrome.proxy.settings.set API
  • Cross-storage persistence mechanisms recreating deleted cookies

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Identify and remove the listed malicious extension IDs from all enterprise browsers.
  • Revoke and rotate any OpenAI, Gemini, or Claude API keys that may have been exposed.
  • Force a password reset for users who had these extensions installed.

Infrastructure Hardening

  • Implement strict browser extension allowlisting via Group Policy or MDM.
  • Block network traffic to the identified malicious domains and IPs.

User Protection

  • Deploy enterprise browser security solutions to monitor extension behavior.
  • Enable advanced URL and DNS filtering to block C2 and exfiltration endpoints.

Security Awareness

  • Train employees on the risks of installing unvetted browser extensions, especially those masquerading as AI tools.
  • Educate developers on the dangers of pasting API keys into third-party browser extensions.

MITRE ATT&CK Mapping

  • T1176 - Browser Extensions
  • T1059.007 - Command and Scripting Interpreter: JavaScript
  • T1111 - Two-Factor Authentication Interception
  • T1539 - Steal Web Session Cookie
  • T1566.002 - Phishing: Spearphishing Link
  • T1090 - Proxy
  • T1119 - Automated Collection
  • T1071.001 - Application Layer Protocol: Web Protocols
  • T1552.001 - Credentials In Files

Additional IOCs

  • Ips:
    • 172[.]16[.]18[.]184 - Associated with Anker AIME Copilot extension
    • 158[.]160[.]66[.]115 - Associated with Text Summarizer extension
    • 199[.]80[.]55[.]27 - Associated with AI Agent extension
  • Domains:
    • browser[.]cash - Associated with browser cash extension
    • banana[.]summarizer[.]one - Associated with Nano Banana extension
    • notionapp[.]cn - Associated with Notion中文版 extension
    • xuix[.]top - Associated with Brand Impersonator extension
    • vomet[.]ru - Associated with Ask AI - GPT chat extension
    • pic-editor-chromeextension[.]uno - Associated with Picsart: AI Photo Video Editor extension
    • newextensioninstallweb[.]com - Redirection domain for Brand Impersonator extension
    • 10xprofit[.]io - Associated with 10xprofit affiliate hijacking campaign
    • huiyiai[.]net - Associated with Huiyi Spyware extension
  • Urls:
    • wss://mcp-browser[.]qubecare[.]ai/chrome - WebSocket C2 URL for Chrome MCP Server RAT
    • hxxps://mcp-browser[.]qubecare[.]ai/mcp - HTTP C2 URL for Chrome MCP Server RAT
    • hxxps://api[.]gosupersonic[.]email/collect - Data exfiltration endpoint for Supersonic AI
    • hxxps://api[.]reverserecruiting[.]io/v1/profile/sync - Profile data exfiltration endpoint for Reverse Recruiting
    • hxxps://chatgptforchrome[.]com/auto-suggest/search.php?q={searchTerms} - Search hijacking URL for Chat AI for Chrome
    • hxxps://yiban[.]io/extension/proxy.pac?t=huiyi - Proxy PAC script download URL for Huiyi Spyware
    • ws://158[.]160[.]66[.]115:40000/summary - WebSocket URL for Text Summarizer extension
  • File Hashes:
    • 0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5 (SHA256) - Chrome MCP Server - AI Browser Control extension
    • ac0a312398b3bf6b3d7c5169687ca72f361838bc5a90f2c0dbce2dc8e2094a02 (SHA256) - Supersonic AI extension
    • 604c7aef72892b56ac23ad54744376574239c8f0651e95dd5b6cf540eb70f7c3 (SHA256) - Reverse Recruiting - AI Job Application Assistant extension
    • dfe307d957724ebe32331f92d53e366b7fa85968a9564c2285c5a0142ac9e1bb (SHA256) - Chat AI for Chrome extension
    • 4e38bee33237a8c8b17a2504013e506ca7cbf667a7f68a2d94d75db505c2149f (SHA256) - Brand Impersonator extension
    • c9754454efede2dec2fcb856faa40424b8df378706b664a5ae4847fcd0336b53 (SHA256) - Huiyi Spyware extension
  • File Paths:
    • background.js - Common extension background script used for persistent C2
    • optimized-api.js - Script used by Reverse Recruiting to steal API keys
    • profile-sync.js - Script used by Reverse Recruiting to exfiltrate user profiles
    • thanks.html - Post-installation page used by Brand Impersonator for redirection
    • proxy.pac - Proxy auto-configuration script downloaded by Huiyi Spyware
  • Command Lines:
    • Purpose: Execute arbitrary JavaScript received from C2 server | Tools: JavaScript, Browser API | Stage: Execution | new Function("return " +
    • Purpose: Dynamically configure browser proxy settings to route traffic | Tools: Chrome API | Stage: Defense Evasion | chrome.proxy.settings.set
  • Other:
    • oaldjcdohhhibelagdhoahbedekfjjjf - Extension ID for browser cash
    • nbflcljmdbibeoaipongjgfmbapanipm - Extension ID for Anker AIME Copilot
    • ffocfibjgakneigiajpccfcdmomlbapo - Extension ID for Nano Banana
    • npifianbfjhobabjjpfdjjihgbdnbojh - Extension ID for Text Summarizer
    • pfdmleklaejjccgfhoeafapbhkjipcnj - Extension ID for Google AI
    • hnppehcgmflfkcdkbkaeemjfngffmeag - Extension ID for AI Agent
    • ljlhpcabhpjdlcjhbmgjigfceppgabmk - Extension ID for Notion中文版
    • pdahnbohfcekobflehebdkoemnmmempk - Extension ID for Notion中文版
    • jndldoeopjgmpakgmieaeeelhnjnfgkj - Extension ID for NotionAI插件
    • bonhfflnjgdbnhcpjemkknlhimceckgb - Extension ID for Agent Risk Reminder Remover
    • cjmhegifablecgkkncjddcgkjmgoacfd - Extension ID for Ask AI - GPT chat
    • dcjfbgppfdokmjgajnnkgdmkdeiloigh - Extension ID for Picsart: AI Photo Video Editor

Related