Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Chromium extension uses AI‑related branding to redirect browser search

0
Medium
Published: 06/29/2026 (06/29/2026, 20:08:24 UTC)
Source: AlienVault OTX General

Description

Microsoft Threat Intelligence identified a malicious Chromium extension spoofing Perplexity AI to deceive users into installation. The extension's primary objective involves search traffic interception and data collection through Manifest Version 3 capabilities and declarativeNetRequest rules. It routes both full search queries and real-time keystrokes through attacker-controlled infrastructure hosted on a typosquatted domain before redirecting to legitimate search providers. The extension overrides browser default search settings, captures user input at keystroke-level, and uses suspicious permissions inconsistent with legitimate AI assistants. The threat demonstrates how actors operationalize AI branding as social engineering vectors. Google removed the extension following responsible disclosure. Organizations should strengthen user awareness training and implement layered security strategies to detect similar threats.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/30/2026, 11:36:22 UTC

Technical Analysis

Microsoft Threat Intelligence identified a malicious Chromium extension spoofing the Perplexity AI brand to deceive users into installation. The extension's main function was to intercept search traffic and collect data, including real-time keystrokes, using Manifest Version 3 capabilities and declarativeNetRequest rules. It routed full search queries and keystrokes through attacker-controlled infrastructure hosted on a typosquatted domain (perplexity-ai.online) before redirecting users to legitimate search providers. The extension also overrode browser default search settings and requested permissions inconsistent with legitimate AI assistants. Google removed the extension following responsible disclosure. This campaign illustrates how threat actors use AI-related branding as a social engineering vector.

Potential Impact

The malicious extension compromises user privacy by capturing keystrokes and search queries, potentially exposing sensitive information. It hijacks browser search settings, redirecting traffic through attacker-controlled infrastructure, enabling data interception and possible further exploitation. The use of typosquatted domains increases the risk of user deception. Although no known exploits in the wild are reported, the data interception and keystroke capture pose a medium risk to affected users.

Mitigation Recommendations

Google has removed the malicious extension from the Chrome Web Store following responsible disclosure. Users should uninstall any suspicious extensions, especially those spoofing AI brands like Perplexity AI. Organizations should strengthen user awareness training to recognize social engineering tactics involving AI branding. Implement layered security controls to detect and block similar malicious extensions and monitor for unauthorized changes to browser settings. No official patch is applicable as this is a malicious extension rather than a software vulnerability.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/"]
Adversary
null
Pulse Id
6a42d0b89159dccad1ff7879
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domainperplexity-ai.online

Url

ValueDescriptionCopy
urlhttp://perplexity-ai.online/
urlhttp://perplexity-ai.online/*
urlhttp://perplexity-ai.online/search/
urlhttps://perplexity-ai.online/favicon.ico
urlhttps://perplexity-ai.online/search/
urlhttps://perplexity-ai.online/search?output=firefox&q=

Threat ID: 6a43a6ca27e9c79719a5445c

Added to database: 06/30/2026, 11:21:46 UTC

Last enriched: 06/30/2026, 11:36:22 UTC

Last updated: 07/01/2026, 02:26:23 UTC

Views: 65

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses