A Chrome extension named “QuickLens – Search Screen with Google Lens” has been faraway from the Chrome Net Retailer after it was compromised to push malware and try to steal crypto from hundreds of customers.
QuickLens was initially revealed as a Chrome extension that lets customers run Google Lens searches instantly of their browser. The extension grew to roughly 7,000 customers and, at one level, obtained a featured badge from Google.
Nonetheless, on February 17, 2026, a brand new model 5.8 was launched that contained malicious scripts that launched ClickFix assaults and info-stealing performance for these utilizing the extension.
The malicious QuickLens extension
Safety researchers at Annex first reported that the extension had not too long ago modified possession after being listed on the market on ExtensionHub, a market the place builders promote browser extensions.
Annex says that on February 1, 2026, the proprietor modified to help@doodlebuggle.high below “LLC Quick Lens,” with a brand new privateness coverage hosted on a barely practical area. Simply over two weeks later, the malicious replace was pushed to customers.
Annex’s evaluation exhibits that model 5.8 requested new browser permissions, together with declarativeNetRequestWithHostAccess and webRequest.
It additionally included a guidelines.json file that stripped browser safety headers, corresponding to Content material-Safety-Coverage (CSP), X-Body-Choices, and X-XSS-Safety, from all pages and frames. These headers would have made it harder to run malicious scripts on web sites.
The replace additionally launched communication with a command-and-control (C2) server at api.extensionanalyticspro[.]high. Based on Annex, the extension generated a persistent UUID, fingerprinted the sufferer’s nation utilizing Cloudflare’s hint endpoint, recognized the browser and OS, after which polled the C2 server each 5 minutes for directions.
BleepingComputer discovered concerning the extension this week after seeing quite a few customers [1, 2] reporting faux Google Replace alerts on each net web page they visited.
“That is appearing in every site i go, i through it could be because Chrome wasn’t updated, but even after uptading it continues to appear,” a consumer searching for assist mentioned on Reddit.
“Of course i will not run the code that it copy on my clipboard on the run box but it keeps appearing in every site, making it impossible to interact with anything.”
BleepingComputer’s evaluation of the extension confirmed it related to a C2 server at https://api.extensionanalyticspro[.]top/extensions/callback?uuid=[uuid]&extension=kdenlnncndfnhkognokgfpabgkgehoddto, the place it obtained an array of malicious JavaScript scripts.
These payloads have been then executed on each web page load utilizing a way that Annex described as a “1×1 GIF pixel onload trick.”
Supply: BleepingComputer
As a result of the extension stripped CSP headers on all visited websites, this inline JavaScript execution labored even on websites that might usually block it.
The primary payload contacts google-update[.]icu, the place it receives an extra payload that shows a faux Google Replace immediate. Clicking the replace button would show a ClickFix assault, prompting customers to carry out a verification by operating code on their computer systems.
Supply: Reddit [1, 2]
For Home windows customers, this led to the obtain of a malicious executable named “googleupdate.exe” [VirusTotal] that was signed with a certificates from “Hubei Da’e Zhidao Food Technology Co., Ltd.”
Upon execution, the malware launched a hidden PowerShell command that spawned a second PowerShell occasion to hook up with drivers[.]options/META-INF/xuoa.sys utilizing a customized “Katzilla” consumer agent.
The response was piped into Invoke-Expression for execution. Nonetheless, by the point BleepingComputer analyzed the payloads, the second-stage URL was now not serving any malicious content material.
One other malicious JavaScript “agent” delivered by the https://api.extensionanalyticspro[.]top C2 was used to steal cryptocurrency wallets and credentials.
The extension would detect if MetaMask, Phantom, Coinbase Pockets, Belief Pockets, Solflare, Backpack, Courageous Pockets, Exodus, Binance Chain Pockets, WalletConnect, and the Argon crypto wallets have been put in. If that’s the case, it might try and steal exercise and seed phrases, which might be used to hijack wallets and steal their belongings.
One other script captured login credentials, fee data, and different delicate kind information.
Further payloads have been used to scrape Gmail inbox contents, extract Fb Enterprise Supervisor promoting account information, and acquire YouTube channel data.
A assessment of the now-removed Chrome extension web page claims that macOS customers have been focused with the AMOS (Atomic Stealer) infostealer. BleepingComputer has not been in a position to independently confirm if these claims are true.
Google has since eliminated QuickLens from the Chrome Net Retailer, and Chrome now robotically disables it for affected customers.
Supply: BleepingComputer
Customers who put in QuickLens – Search Display with Google Lens ought to make sure the extension is absolutely eliminated, scan their machine for malware, and reset passwords for any credentials saved within the browser.
Should you use any of the talked about cryptocurrency wallets, you must switch your funds to a brand new pockets.
This extension just isn’t the primary for use in ClickFix assaults. Final month, Huntress found a browser extension that deliberately crashed browsers after which displayed faux fixes that put in the ModeloRAT malware.
Fashionable IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, find out how your staff can cut back hidden handbook delays, enhance reliability by way of automated response, and construct and scale clever workflows on high of instruments you already use.
