A malicious browser extension campaign dubbed AiFrame has been identified distributing fake AI assistant tools through the Chrome Web Store. At least 30 malicious extensions, installed by 300,000+ users, impersonate AI productivity tools such as Gemini and ChatGPT to harvest credentials, email content, browsing data, and voice transcripts.
The extensions extract webpage content, including authentication flows, and specifically target Gmail sessions, capturing email threads and drafts directly from the browser DOM.
Threat Overview
The AiFrame campaign leverages user trust in AI-branded productivity tools. Rather than providing local AI functionality, the extensions:
- Render full-screen remote content via iframe
- Harvest page data using browser scripts
- Transmit extracted data to attacker-controlled infrastructure
All variants communicate with infrastructure tied to:
tapnetic[.]pro
Shared infrastructure, permissions, and code structure strongly indicate a centralized operation.
Technical Behavior
1. Data Harvesting Mechanism
The extensions inject scripts that read webpage DOM content to extract authentication details and sensitive application data during normal browsing. They use a content parsing library to convert structured pages into easily exfiltrated text, enabling credential and document harvesting without obvious user awareness.
2. Gmail-Specific Targeting
Some variants execute scripts as Gmail loads, scraping visible email content, including drafts and active threads, directly from the interface. The captured data is transmitted to attacker infrastructure outside Google’s security boundary, creating a covert channel for corporate communication and credential exposure.
3. Remote-Controlled Functionality
Rather than relying on static code, the extensions load remote iframe content that operators can modify at any time. This architecture allows behavior changes without store updates, enabling rapid pivots toward credential harvesting, session interception, or surveillance while reducing detection visibility.
4. Voice Data Capture Capability
Certain variants leverage the Web Speech API to enable voice transcription features that can be remotely triggered. While permission-dependent, this capability introduces the risk of capturing spoken content or environmental audio, expanding the extensions’ surveillance potential beyond traditional data theft.
Known Malicious Extensions (Partial List)
| Extension Name | ID | Reported Installs |
| AI Sidebar | gghdfkafnhfpaooiolhncejnlgglhkhe | ~70K |
| AI Assistant | nlhpidbjmmffhoogcennoiopekbiglbp | ~60K |
| ChatGPT Translate | acaeafediijmccnjlokgcdiojiljfpbe | ~30K |
| AI GPT | kblengdlefjpjkekanpoidgoghdngdgl | ~20K |
| ChatGPT | llojfncgbabajmdglnkbhmiebiinohek | ~20K |
| Google Gemini | fdlagfnfaheppaigholhoojabfaapnhb | ~10K |
(Additional variants exist. You can find the full list here.)
Indicators of Compromise
Primary infrastructure:
tapnetic[.]pro
Behavioral IoCs:
- Extension content scripts running on Gmail
- Unauthorized DOM scraping activity
- Browser extensions requesting excessive permissions
- Remote iframe AI UI rendering
Mitigation & Response
Detect and remove malicious extensions
Security teams should immediately audit installed browser extensions across affected endpoints and remove any identified malicious variants. Browser activity and identity logs should be reviewed to determine whether sensitive data or sessions may have been accessed.
Rotate credentials
Any accounts used within affected browsers should be treated as potentially compromised. Password resets should be enforced for email, SSO, and cloud services, and active sessions revoked.
Preventative hardening
Organizations should strengthen browser governance by restricting extension installations and allowing only vetted tools. User awareness around AI-themed extensions and third-party browser add-ons is essential.
Stay Safe. Stay Secure.
OP Innovate Research Team
