Chromium extension uses AI‑related branding to redirect browser search
Essential information
- Published
- 29/06/2026 22:08
- Modified
- —
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser extension chrome extension data interception declarativenetrequest keystroke capture perplexity ai spoofing search hijacking typosquatting
- Related entities
- 7 indicators, 7 observables, 20 techniques (mitre)
Description
Microsoft Threat Intelligence identified a malicious Chromium extension spoofing Perplexity AI to deceive users into installation. The extension's primary objective involves search traffic interception and data collection through Manifest Version 3 capabilities and declarativeNetRequest rules. It routes both full search queries and real-time keystrokes through attacker-controlled infrastructure hosted on a typosquatted domain before redirecting to legitimate search providers. The extension overrides browser default search settings, captures user input at keystroke-level, and uses suspicious permissions inconsistent with legitimate AI assistants. The threat demonstrates how actors operationalize AI branding as social engineering vectors. Google removed the extension following responsible disclosure. Organizations should strengthen user awareness training and implement layered security strategies to detect similar threats.