This threat campaign involves a network of 30 malicious Chrome extensions that impersonate legitimate AI assistant tools to deceive users into installation. These extensions share a common codebase and backend infrastructure, communicating with command and control servers hosted under the tapnetic.pro domain and related subdomains. The core malicious technique involves embedding remote iframes controlled by the attacker inside the extension UI, which circumvents Chrome's security model by allowing the attacker to execute arbitrary code and access sensitive browser APIs. The extensions extract page content, capture voice inputs, and integrate with Gmail, enabling comprehensive data harvesting and user behavior monitoring. The campaign uses extension spraying, a tactic where multiple similar extensions are published to the Chrome Web Store to avoid detection and takedown, ensuring persistent distribution. The use of remote iframes as the primary UI is a novel approach that facilitates dynamic control over the extension's behavior and evasion of static detection methods. Although no CVE or known exploits are currently documented, the threat leverages advanced evasion and persistence techniques, making it a significant risk to users and organizations relying on Chrome extensions for productivity. The domains involved (airnetic.space, softnetica.space, tapnetic.pro, tapnetic.space, and claude.tapnetic.pro) serve as infrastructure for command and control and data exfiltration.

For European organizations, this campaign poses a substantial risk to confidentiality and privacy, as the malicious extensions can harvest sensitive browsing data, email content, and voice inputs. This could lead to leakage of intellectual property, personal data, and corporate communications. The integration with Gmail is particularly concerning for organizations using Google Workspace, as attackers could access sensitive emails and attachments. The widespread scale (260,000+ users) indicates a high likelihood that employees in European companies may have installed these extensions, potentially enabling lateral movement or targeted phishing campaigns. The campaign's ability to evade takedown through extension spraying increases the persistence and reach of the threat. Additionally, the undermining of browser security models could facilitate further exploitation or malware delivery. The medium severity rating reflects the balance between the complexity of exploitation (requiring user installation) and the significant potential impact on data confidentiality and user privacy.

European organizations should implement strict policies governing browser extension installation, restricting users to approved extensions only via enterprise policies. Deploy endpoint security solutions capable of detecting suspicious extension behaviors and monitor network traffic for connections to known malicious domains such as tapnetic.pro and its subdomains. Conduct regular audits of installed browser extensions across corporate devices. Educate employees about the risks of installing unverified AI assistant extensions and encourage verification of extension publishers and reviews. Leverage browser security features like extension permission reviews and disable unnecessary permissions such as access to Gmail or voice recognition unless explicitly required. Collaborate with browser vendors to report malicious extensions and support rapid takedown efforts. Employ data loss prevention (DLP) solutions to monitor and block unauthorized data exfiltration attempts. Finally, maintain updated threat intelligence feeds to stay informed about emerging variants of this campaign.