A Chrome extension named “QuickLens – Search Display screen with Google Lens” has been faraway from the Chrome Net Retailer after it was compromised to push malware and try to steal crypto from 1000’s of customers.
QuickLens was initially revealed as a Chrome extension that lets customers run Google Lens searches straight of their browser. The extension grew to roughly 7,000 customers and, at one level, obtained a featured badge from Google.
Nevertheless, on February 17, 2026, a brand new model 5.8 was launched that contained malicious scripts that launched ClickFix assaults and info-stealing performance for these utilizing the extension.
The malicious QuickLens extension
Safety researchers at Annex first reported that the extension had just lately modified possession after being listed on the market on ExtensionHub, a market the place builders promote browser extensions.
Annex says that on February 1, 2026, the proprietor modified to assist@doodlebuggle.high underneath “LLC Fast Lens,” with a brand new privateness coverage hosted on a barely useful area. Simply over two weeks later, the malicious replace was pushed to customers.
Annex’s evaluation exhibits that model 5.8 requested new browser permissions, together with declarativeNetRequestWithHostAccess and webRequest.
It additionally included a guidelines.json file that stripped browser safety headers, akin to Content material-Safety-Coverage (CSP), X-Body-Choices, and X-XSS-Safety, from all pages and frames. These headers would have made it tougher to run malicious scripts on web sites.
The replace additionally launched communication with a command-and-control (C2) server at api.extensionanalyticspro[.]high. In response to Annex, the extension generated a persistent UUID, fingerprinted the sufferer’s nation utilizing Cloudflare’s hint endpoint, recognized the browser and OS, after which polled the C2 server each 5 minutes for directions.
BleepingComputer discovered concerning the extension this week after seeing quite a few customers [1, 2] reporting faux Google Replace alerts on each internet web page they visited.
“That’s showing in each web site i am going, i by means of it might be as a result of Chrome wasn’t up to date, however even after uptading it continues to seem,” a consumer in search of assist mentioned on Reddit.
“After all i cannot run the code that it copy on my clipboard on the run field but it surely retains showing in each web site, making it inconceivable to work together with something.”
BleepingComputer’s evaluation of the extension confirmed it linked to a C2 server at https://api.extensionanalyticspro[.]high/extensions/callback?uuid=[uuid]&extension=kdenlnncndfnhkognokgfpabgkgehoddto, the place it obtained an array of malicious JavaScript scripts.
These payloads have been then executed on each web page load utilizing a method that Annex described as a “1×1 GIF pixel onload trick.”
Supply: BleepingComputer
As a result of the extension stripped CSP headers on all visited websites, this inline JavaScript execution labored even on websites that might usually block it.
The primary payload contacts google-update[.]icu, the place it receives an extra payload that shows a faux Google Replace immediate. Clicking the replace button would show a ClickFix assault, prompting customers to carry out a verification by operating code on their computer systems.
For Home windows customers, this led to the obtain of a malicious executable named “googleupdate.exe” [VirusTotal] that was signed with a certificates from “Hubei Da’e Zhidao Meals Expertise Co., Ltd.”
Upon execution, the malware launched a hidden PowerShell command that spawned a second PowerShell occasion to connect with drivers[.]options/META-INF/xuoa.sys utilizing a customized “Katzilla” consumer agent.
The response was piped into Invoke-Expression for execution. Nevertheless, by the point BleepingComputer analyzed the payloads, the second-stage URL was now not serving any malicious content material.
One other malicious JavaScript “agent” delivered by the https://api.extensionanalyticspro[.]high C2 was used to steal cryptocurrency wallets and credentials.
The extension would detect if MetaMask, Phantom, Coinbase Pockets, Belief Pockets, Solflare, Backpack, Courageous Pockets, Exodus, Binance Chain Pockets, WalletConnect, and the Argon crypto wallets have been put in. If that’s the case, it will try to steal exercise and seed phrases, which might be used to hijack wallets and steal their belongings.
One other script captured login credentials, fee data, and different delicate kind knowledge.
Further payloads have been used to scrape Gmail inbox contents, extract Fb Enterprise Supervisor promoting account knowledge, and acquire YouTube channel data.
A evaluate of the now-removed Chrome extension web page claims that macOS customers have been focused with the AMOS (Atomic Stealer) infostealer. BleepingComputer has not been capable of independently confirm if these claims are true.
Google has since eliminated QuickLens from the Chrome Net Retailer, and Chrome now routinely disables it for affected customers.
Supply: BleepingComputer
Customers who put in QuickLens – Search Display screen with Google Lens ought to make sure the extension is totally eliminated, scan their machine for malware, and reset passwords for any credentials saved within the browser.
Should you use any of the talked about cryptocurrency wallets, you must switch your funds to a brand new pockets.
This extension isn’t the primary for use in ClickFix assaults. Final month, Huntress found a browser extension that deliberately crashed browsers after which displayed faux fixes that put in the ModeloRAT malware.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your group can cut back hidden handbook delays, enhance reliability by means of automated response, and construct and scale clever workflows on high of instruments you already use.
