Researchers at browser security platform LayerX have uncovered a coordinated malware campaign dubbed “AiFrame” involving 30 malicious Chrome extensions installed by more than 300,000 users. The extensions masquerade as AI assistants while secretly stealing credentials, email content, and browsing information.
Campaign Overview
All analyzed extensions share the same internal structure, JavaScript logic, permissions, and communicate with infrastructure under a single domain: tapnetic[.]pro. While some extensions have been removed from the Chrome Web Store, many remain available with substantial user counts.
Extensions Still Active on Chrome Web Store
- AI Sidebar (gghdfkafnhfpaooiolhncejnlgglhkhe) – 70,000 users
- AI Assistant (nlhpidbjmmffhoogcennoiopekbiglbp) – 60,000 users
- ChatGPT Translate (acaeafediijmccnjlokgcdiojiljfpbe) – 30,000 users
- AI GPT (kblengdlefjpjkekanpoidgoghdngdgl) – 20,000 users
- ChatGPT (llojfncgbabajmdglnkbhmiebiinohek) – 20,000 users
- AI Sidebar (djhjckkfgancelbmgcamjimgphaphjdl) – 10,000 users
- Google Gemini (fdlagfnfaheppaigholhoojabfaapnhb) – 10,000 users
The most popular extension was Gemini AI Sidebar with 80,000 users before its removal.
Technical Analysis
The malicious browser add-ons do not implement AI functionality locally. Instead, they deliver the promised features by rendering a full-screen iframe that loads content from a remote domain. This architecture allows publishers to change extension logic at any time without pushing an update—effectively bypassing review processes.
In the background, the extensions extract page content from websites the user visits, including sensitive authentication pages, using Mozilla’s Readability library.
Gmail Targeting
A subset of 15 extensions specifically targets Gmail data using a dedicated content script that:
- Runs at
document_startonmail.google.com - Injects UI elements
- Reads visible email content directly from the DOM
- Extracts email thread text via
.textContent - Captures email drafts
According to LayerX: “When Gmail-related features such as AI-assisted replies or summaries are invoked, the extracted email content is passed into the extension’s logic and transmitted to third-party backend infrastructure controlled by the extension operator. As a result, email message text and related contextual data may be sent off-device, outside of Gmail’s security boundary, to remote servers.”
Voice Recognition Capabilities
The extensions also feature a remotely triggered voice recognition and transcript generation mechanism using the Web Speech API. Depending on granted permissions, the extensions may siphon conversations from the victim’s environment.
Indicators of Compromise
C2 Domain: tapnetic[.]pro
Users should check LayerX’s full list of malicious extension IDs and, if compromise is confirmed, reset passwords for all accounts immediately.
Why This Matters
This campaign highlights the growing danger of malicious browser extensions leveraging AI branding to attract victims. With AI tools gaining mainstream adoption, threat actors are capitalizing on user interest in ChatGPT, Gemini, and similar technologies to distribute credential-stealing malware at scale.
Organizations should implement browser extension whitelists and educate users about the risks of installing unverified extensions, even from official stores.
Source: BleepingComputer
