A coordinated campaign is using malicious Chrome extensions that impersonate popular AI tools like ChatGPT, Claude, Gemini, and Grok.
These fake “AI assistants” spy on users through injected, remote-controlled iframes, turning helpful browser add-ons into surveillance tools. More than 260,000 users have installed these extensions.
Security researchers identified at least 30 Chrome extensions promoted as AI tools for summarizing, chatting, translating, generating images, and boosting Gmail productivity.
Although they use different names and icons, they share the same codebase, permissions, and backend infrastructure, confirming a single organized operation.
Some extensions were even marked as “Featured” in the Chrome Web Store, increasing trust and downloads.
Here is the malicious extensions table in a clean format:
Extension IDNameInstallsnlhpidbjmmffhoogcennoiopekbiglbpAI Assistant50,000gcfianbpjcfkafpiadmheejkokcmdkjlLlama147fppbiomdkfbhgjjdmojlogeceejinadgGemini AI Sidebar80,000djhjckkfgancelbmgcamjimgphaphjdlAI Sidebar9,000llojfncgbabajmdglnkbhmiebiinohekChatGPT Sidebar10,000gghdfkafnhfpaooiolhncejnlgglhkheAI Sidebar50,000cgmmcoandmabammnhfnjcakdeejbfimnGrok261phiphcloddhmndjbdedgfbglhpkjcffhAsking Chat Gpt396pgfibniplgcnccdnkhblpmmlfodijppgChatGBT1,000nkgbfengofophpmonladgaldioelckbeChat Bot GPT426gcdfailafdfjbailcdcbjmeginhncjkbGrok Chatbot225ebmmjmakencgmgoijdfnbailknaaiffhChat With Gemini760baonbjckakcpgliaafcodddkoednpjgfXAI138fdlagfnfaheppaigholhoojabfaapnhbGoogle Gemini7,000gnaekhndaddbimfllbgmecjijbbfpabcAsk Gemini1,000hgnjolbjpjmhepcbjgeeallnamkjnfgiAI Letter Generator129lodlcpnbppgipaimgbjgniokjcnpiiadAI Message Generator24cmpmhhjahlioglkleiofbjodhhiejheiAI Translator194bilfflcophfehljhpnklmcelkoiffapbAI For Translation91cicjlpmjmimeoempffghfglndokjihhnAI Cover Letter Generator27ckneindgfbjnbbiggcmnjeofelhflhajAI Image Generator Chat GPT249dbclhjpifdfkofnmjfpheiondafpkoedAi Wallpaper Generator289ecikmpoikkcelnakpgaeplcjoickgacjAi Picture Generator813kepibgehhljlecgaeihhnmibnmikbngaDeepSeek Download275ckicoadchmmndbakbokhapncehanaeniAI Email Writer64fnjinbdmidgjkpmlihcginjipjaoapolEmail Generator AI881gohgeedemmaohocbaccllpkabadoogplDeepSeek Chat1,000flnecpdpbhdblkpnegekobahlijbmfokChatGPT Picture Generator251acaeafediijmccnjlokgcdiojiljfpbeChatGPT Translate30,000kblengdlefjpjkekanpoidgoghdngdglAI GPT20,000idhknpoceajhnjokpnbicildeoligdghChatGPT Translation1,000fpmkabpaklbhbhegegapfkenkmpipickChat GPT for Gmail1,000
How the Extensions Work
When one extension is removed, attackers quickly upload a clone with a new name and ID, a tactic known as “extension spraying.”
Instead of running AI features locally, the extensions load a full-screen iframe from attacker-controlled domains such as tapnetic[.]pro.
IFrame Injection (Source: Layerx Security)
This allows operators to change functionality remotely without updating the extension in the Chrome Web Store.
Once installed, the extensions can: Extract readable content from active tabs, including authenticated pages.
Capture voice input using the Web Speech API. Track installs and uninstalls using hidden telemetry. A Gmail-focused cluster of 15 extensions injects scripts directly into mail. google[.]com.
These scripts monitor page changes and repeatedly collect visible email content, including threads, drafts, and replies, and send it to attacker-controlled servers.
Tapnetic.pro subdomains – VirusTotal.com (Source: LayerxSecurity)
All identified extensions communicate with domains under tapnetic[.]pro and onlineapp[.]pro.
Each extension uses themed subdomains (such as chatgpt. tapnetic[.]pro or gemini. tapnetic[.]pro), but connects to the same backend system.
When one high-install extension was removed in February 2025, an identical replacement appeared within weeks using the same malicious architecture.
According to LayerxSecurity researcher, the campaign also relies on multiple Gmail accounts to manage and publish extensions.
Tactics and Defender Guidance
TacticTechnique CodeTechnique NameResource DevelopmentLX2.003 (T1583)Acquire InfrastructureInitial AccessLX3.004 (T1189)Drive-by CompromiseInitial AccessLX3.003 (T1199)Trusted RelationshipExecutionLX4.003Script ExecutionDefense EvasionLX7.011 (T1036)MasqueradingCredential AccessLX8.007 (T1557)Adversary-in-the-MiddleCollectionLX10.012Web Communication Data CollectionCollectionLX10.005Collect User’s InformationCommand and ControlLX11.004Establish Network ConnectionCommand and ControlLX11.005Web Service-Based C2ExfiltrationLX12.001Data Exfiltration
The operation uses brand impersonation, malicious browser extensions, and web-based command-and-control infrastructure.
By relying on remote iframes, attackers bypass install-time reviews and maintain full control after deployment.
Defenders should: Audit AI-branded Chrome extensions in their environments. Monitor for suspicious iframe injection and unusual Gmail DOM access.
Watch for outbound traffic to tapnetic[.]pro and related domains. Prioritize runtime monitoring over static extension reviews.
Organizations should treat AI-themed browser extensions with caution and enforce strict extension management policies.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Malicious Chrome AI Extensions Attacking 260,000 Users via Injected IFrames appeared first on Cyber Security News.
