216.73.216.204

Chromium extension uses AI‑related branding to redirect browser search

· Published 29/06/2026 22:08

Export JSON

Essential information

Published
29/06/2026 22:08
Modified
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser extension chrome extension data interception declarativenetrequest keystroke capture perplexity ai spoofing search hijacking typosquatting
Related entities
7 indicators, 7 observables, 20 techniques (mitre)

Description

Microsoft Threat Intelligence identified a malicious Chromium extension spoofing Perplexity AI to deceive users into installation. The extension's primary objective involves search traffic interception and data collection through Manifest Version 3 capabilities and declarativeNetRequest rules. It routes both full search queries and real-time keystrokes through attacker-controlled infrastructure hosted on a typosquatted domain before redirecting to legitimate search providers. The extension overrides browser default search settings, captures user input at keystroke-level, and uses suspicious permissions inconsistent with legitimate AI assistants. The threat demonstrates how actors operationalize AI branding as social engineering vectors. Google removed the extension following responsible disclosure. Organizations should strengthen user awareness training and implement layered security strategies to detect similar threats.

External references