How 23 Browser Extensions Silently Monetize ~758,000 Users' Searches

216.73.217.22

How 23 Browser Extensions Silently Monetize ~758,000 Users' Searches

· Published 15/06/2026 16:58 · Modified 15/06/2026 17:46

Essential information

Published: 15/06/2026 16:58
Modified: 15/06/2026 17:46
Source / Author: AlienVault
Confidence: 100/100
Report type(s): threat-report
Labels / Tags: adware affiliate fraud browser extension hijacking chrome extensions monetization middleware search hijacking searchjack yahoo hosted search
Tags: 2026-06-15 adware affiliate fraud browser extension hijacking chrome extensions monetization middleware search hijacking searchjack yahoo hosted search
Related entities: 29 indicators, 29 observables, 19 techniques (mitre), 5 others

Description

SearchJack represents a coordinated campaign comprising 23 deceptive Chrome browser extensions that silently hijack users' default search engines, redirecting queries through monetization middleware before delivering results. These extensions masquerade as various productivity tools, satellite imagery viewers, maps, and news readers while their actual purpose is generating search affiliate revenue. The campaign affects approximately 758,000 users across 22 unique publishers and leverages at least 8 distinct monetization brokers, primarily routing traffic through Yahoo Hosted Search affiliate programs. The extensions employ manifest-only wrappers using chrome_settings_overrides to hijack search settings, with some implementing runtime obfuscation to evade static analysis. Several extensions feature false privacy claims, anomalous review patterns, and anonymous publishers with fictional corporate identities, enabling operators to monetize user search behavior while maintaining zero accountability.