The AI Frame Campaign Continues

A malicious Chrome extension impersonating Google's Authenticator application has been identified as part of an ongoing campaign active since early 2026. The extension requests excessive permissions and contains dormant infrastructure suggesting a staged deployment model where malicious updates can be delivered without requiring further user approval. This extension is linked to at least six others through a shared developer front, with two already carrying fully operational malicious payloads. These extensions utilize hidden iframes to inject attacker-controlled content, deploy fraudulent paywalls for free services, and maintain bidirectional communication with command and control servers. The infrastructure maps directly to the AiFrame campaign, which has reportedly compromised over 260,000 users from 2025 to present, marking a continued evolution of this threat.

Pulse ID: 69eafa0f9d3e61201eac54d4
Pulse Link: https://otx.alienvault.com/pulse/69eafa0f9d3e61201eac54d4
Pulse Author: AlienVault
Created: 2026-04-24 05:05:19

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Chrome #ChromeExtension #CyberSecurity #Google #InfoSec #OTX #OpenThreatExchange #RAT #Troll #bot #AlienVault