Executive Summary

The recent compromise of the QuickLens Chrome extension, officially titled QuickLens – Search Screen with Google Lens, represents a significant escalation in browser extension supply chain attacks. In February 2026, threat actors acquired and weaponized this previously benign extension, leveraging its user base of over 7,000 Chrome users to deploy a sophisticated multi-stage malware campaign. The attackers utilized advanced techniques to bypass browser security, steal cryptocurrency assets, exfiltrate credentials, and execute a novel ClickFix attack, which manipulates users into executing malicious code under the guise of a legitimate browser update. This incident underscores the critical risk posed by third-party browser extensions and highlights the need for robust extension vetting, user education, and continuous monitoring.

Threat Actor Profile

Attribution for the QuickLens campaign remains inconclusive, with no direct links to established Advanced Persistent Threat (APT) groups. However, the tactics, techniques, and procedures (TTPs) observed align with those of financially motivated cybercriminals specializing in browser extension hijacks and cryptocurrency theft. The infrastructure and payload delivery mechanisms show overlap with previous campaigns involving ModeloRAT and other infostealer operations. The threat actors demonstrated a high degree of operational security, utilizing signed binaries, dynamic payload delivery, and rapid infrastructure turnover. The campaign’s global reach and focus on digital asset theft suggest a profit-driven motive rather than state-sponsored espionage.

Technical Analysis of Malware/TTPs

The attack chain initiated with the transfer of QuickLens extension ownership to an entity using the email support@doodlebuggle.top (LLC Quick Lens), following its listing for sale on ExtensionHub. On February 17, 2026, version 5.8 of the extension was released, embedding malicious scripts and requesting elevated permissions, specifically declarativeNetRequestWithHostAccess and webRequest. These permissions enabled the extension to deploy a rules.json file that systematically stripped critical security headers—Content Security Policy (CSP), X-Frame-Options, and X-XSS-Protection—from all visited web pages. This effectively neutralized browser-enforced script execution restrictions, allowing arbitrary JavaScript injection.

The extension established persistent command-and-control (C2) communication with api.extensionanalyticspro[.]top, polling every five minutes and transmitting a unique identifier, browser and OS metadata, and geolocation data (via Cloudflare trace endpoints). Payload delivery was orchestrated using a 1x1 GIF pixel “onload” technique, which surreptitiously injected and executed JavaScript on every page load. The initial payload contacted google-update[.]icu, presenting users with a fraudulent Google Update prompt. Interaction with this prompt triggered the ClickFix attack, coercing users into executing attacker-supplied code under the pretense of a necessary browser update.

For Windows environments, the extension downloaded a malicious executable, googleupdate.exe, signed by "Hubei Da'e Zhidao Food Technology Co., Ltd." This binary executed concealed PowerShell commands to retrieve a second-stage payload from drivers[.]solutions/META-INF/xuoa.sys, utilizing a custom "Katzilla" user agent to evade detection. The malware exhibited advanced credential harvesting capabilities, targeting browser-based cryptocurrency wallets including MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and Argon. It exfiltrated seed phrases, transaction histories, and wallet activity, enabling full account compromise. Additionally, the malware harvested browser-stored credentials, payment information, and sensitive form data, and deployed scripts to scrape Gmail inboxes, Facebook Business Manager assets, and YouTube channel information.

Unconfirmed reports suggest that macOS users may have been targeted with the AMOS (Atomic Stealer) infostealer, although this vector has not been independently verified by primary sources such as BleepingComputer.

Exploitation in the Wild

The malicious QuickLens extension was distributed via the official Chrome Web Store, leveraging the platform’s update mechanism to propagate the compromised version to existing users. Over 7,000 Chrome users worldwide were affected before the extension’s removal. Victims reported persistent fake Google Update popups, forced malware downloads, browser instability, and unauthorized access to cryptocurrency wallets and online accounts. The attack vector’s reliance on social engineering—specifically, the ClickFix technique—enabled the threat actors to bypass traditional endpoint security controls by manipulating users into executing malicious code themselves.

Community reports on Reddit and other forums corroborate widespread exploitation, with users describing browser lockouts, credential theft, and unauthorized crypto asset transfers. The campaign’s global reach and indiscriminate targeting indicate a broad, opportunistic approach rather than a focused attack on specific organizations or geographies.

Victimology and Targeting

The primary victims of the QuickLens campaign were individual Chrome users, particularly those utilizing browser-based cryptocurrency wallets. Secondary targets included digital asset holders, online advertisers (notably those managing Facebook Business Manager accounts), YouTube content creators, and users with significant browser-stored credentials. The attack did not exhibit sector-specific targeting, instead exploiting the extension’s user base for maximum reach and financial gain. The campaign’s impact was global, with affected users reported across multiple continents and no evidence of geographic discrimination.

Mitigation and Countermeasures

Immediate mitigation steps include the removal of the QuickLens extension from all endpoints, comprehensive malware scanning with a focus on PowerShell artifacts and dropped executables, and the resetting of credentials for all browser-stored accounts. Users of affected cryptocurrency wallets should transfer assets to new wallets and treat all seed phrases as compromised. Organizations should monitor network traffic for connections to the identified IOCs, including api.extensionanalyticspro[.]top, google-update[.]icu, and drivers[.]solutions, and block these domains at the network perimeter.

Long-term countermeasures involve rigorous review of browser extension permissions and ownership changes, implementation of allowlisting policies for browser extensions, and user education on the risks associated with browser extension updates and social engineering tactics such as fake update prompts. Security teams should leverage endpoint detection and response (EDR) solutions capable of detecting anomalous PowerShell activity and unauthorized credential access. Regular audits of browser extension inventories and proactive threat intelligence monitoring are essential to mitigate future supply chain risks.

References

BleepingComputer: QuickLens Chrome extension steals crypto, shows ClickFix attack

Reddit: User reports on QuickLens compromise

LinkedIn: BleepingComputer post on QuickLens hijack

VirusTotal: googleupdate.exe sample

Annex Security Research (Twitter/X): Incident thread

BleepingComputer: Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps

BleepingComputer: Fake ad blocker extension crashes the browser for ClickFix attacks

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and business operations.

For further information or to discuss this advisory, please contact us at ops@rescana.com.