PostHole
Compose Login
You are browsing us.zone2 in read-only mode. Log in to participate.
rss-bridge 2026-02-28T19:18:52+00:00

QuickLens Chrome extension steals crypto, shows ClickFix attack

A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users. [...]

QuickLens Chrome extension steals crypto, shows ClickFix attack

Lawrence Abrams

  • February 28, 2026
  • 02:18 PM
  • 0

A Chrome extension named "QuickLens - Search Screen with Google Lens" has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.

QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google.

However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension.

The malicious QuickLens extension

Security researchers at Annex first reported that the extension had recently changed ownership after being listed for sale on ExtensionHub, a marketplace where developers sell browser extensions.

Annex says that on February 1, 2026, the owner changed to support@doodlebuggle.top under "LLC Quick Lens," with a new privacy policy hosted on a barely functional domain. Just over two weeks later, the malicious update was pushed to users.

Annex's analysis shows that version 5.8 requested new browser permissions, including declarativeNetRequestWithHostAccess and webRequest.

It also included a rules.json file that stripped browser security headers, such as Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection, from all pages and frames. These headers would have made it more difficult to run malicious scripts on websites.

The update also introduced communication with a command-and-control (C2) server at api.extensionanalyticspro[.]top. According to Annex, the extension generated a persistent UUID, fingerprinted the victim's country using Cloudflare's trace endpoint, identified the browser and OS, and then polled the C2 server every five minutes for instructions.

BleepingComputer learned about the extension this week after seeing numerous users 1, [2] reporting fake Google Update alerts on every web page they visited.

"That is appearing in every site i go, i through it could be because Chrome wasn't updated, but even after uptading it continues to appear," a user seeking help said on Reddit.

"Of course i will not run the code that it copy on my clipboard on the run box but it keeps appearing in every site, making it impossible to interact with anything."

BleepingComputer's analysis of the extension showed it connected to a C2 server at https://api.extensionanalyticspro[.]top/extensions/callback?uuid=[uuid]&extension=kdenlnncndfnhkognokgfpabgkgehoddto, where it received an array of malicious JavaScript scripts.

These payloads were then executed on every page load using a technique that Annex described as a "1x1 GIF pixel onload trick."

[Array of malicious JavaScript payloads]

*Array of malicious JavaScript payloads
Source: BleepingComputer*

Because the extension stripped CSP headers on all visited sites, this inline JavaScript execution worked even on sites that would normally block it.

The first payload contacts google-update[.]icu, where it receives an additional payload that displays a fake Google Update prompt. Clicking the update button would display a ClickFix attack, prompting users to perform a verification by running code on their computers.

[Fake Google Update alert leading to a ClickFix attack]

*Fake Google Update alert leading to a ClickFix attack
*Source: Reddit 1, [2]**

For Windows users, this led to the download of a malicious executable named "googleupdate.exe" [VirusTotal] that was signed with a certificate from "Hubei Da'e Zhidao Food Technology Co., Ltd."

The response was piped into Invoke-Expression for execution. However, by the time BleepingComputer analyzed the payloads, the second-stage URL was no longer serving any malicious content.

Another malicious JavaScript "agent" delivered by the https://api.extensionanalyticspro[.]top C2 was used to steal cryptocurrency wallets and credentials.

The extension would detect if MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and the Argon crypto wallets were installed. If so, it would attempt to steal activity and seed phrases, which would be used to hijack wallets and steal their assets.

Another script captured login credentials, payment information, and other sensitive form data.

Additional payloads were used to scrape Gmail inbox contents, extract Facebook Business Manager advertising account data, and collect YouTube channel information.

A review of the now-removed Chrome extension page claims that macOS users were targeted with the AMOS (Atomic Stealer) infostealer. BleepingComputer has not been able to independently verify if these claims are true.

Google has since removed QuickLens from the Chrome Web Store, and Chrome now automatically disables it for affected users.

[QuickLens disabled and flagged as malware by Chrome]

*QuickLens disabled and flagged as malware by Chrome
Source: BleepingComputer*

Users who installed QuickLens - Search Screen with Google Lens should ensure the extension is fully removed, scan their device for malware, and reset passwords for any credentials stored in the browser.

If you use any of the mentioned cryptocurrency wallets, you should transfer your funds to a new wallet.

This extension is not the first to be used in ClickFix attacks. Last month, Huntress discovered a browser extension that intentionally crashed browsers and then displayed fake fixes that installed the ModeloRAT malware.

Red Report 2026: Why Ransomware Encryption Dropped 38%

Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.

Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.

Pastebin comments push ClickFix JavaScript attack to hijack crypto swaps

North Korean hackers use new macOS malware in crypto-theft attacks

Fake ad blocker extension crashes the browser for ClickFix attacks

Infostealer malware found stealing OpenClaw secrets for first time

New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS

Original source

Reply