From 50 to 703: Expanding Unit 42's Gameograf Adware Chrome Extension Campaign
A large-scale adware campaign involving over 700 Chrome extensions linked to the operators Ovkas, Gameograf, and Kidswallpapers/Owhit has been identified. These extensions, primarily wallpaper-related, engage in ad fraud by generating unauthorized ad impressions and exhibit malicious behaviors such as deleting browser IndexedDB data and injecting unsanitized HTML popups. The campaign has over 30,000 installs, with most extensions still active on the Chrome Web Store and distributed via grayware websites employing bot protection. The extensions also track uninstall events to enable retargeting. Evidence suggests the extensions were likely authored using AI coding agents. Only a few extensions have been removed so far, indicating ongoing risk to users.
AI Analysis
Technical Summary
Unit 42 researchers initially tracked 50+ adware wallpaper Chrome extensions published by three accounts: Ovkas, Gameograf, and Kidswallpapers/Owhit. Further investigation expanded this to 703 extensions likely belonging to the same campaign, many still live on the Chrome Web Store. Ovkas and Gameograf appear to be operated by the same actor, sharing code templates, manifest authorship, and affiliate infrastructure, while Kidswallpapers/Owhit is a distinct but similar operator. The extensions perform ad fraud by generating forced ad impressions and redirecting users to affiliate-tracked URLs without consent. They delete IndexedDB data, which disrupts browser caching and offline functionality, and inject HTML popups remotely without sanitization. The extensions also track uninstall events via chrome.runtime.setUninstallURL to enable churn tracking and retargeting. Distribution occurs through grayware websites protected by bot defenses. The extensions display a privacy policy that omits mention of these suspicious behaviors. Analysis indicates AI-assisted development due to coding patterns and prompt echoes. Despite the scale and impact, only a few extensions have been removed from the Chrome Web Store.
Potential Impact
The campaign causes unauthorized ad impressions, resulting in ad fraud revenue for the operators. Deletion of IndexedDB data disrupts normal browser caching and offline web app functionality, potentially degrading user experience. Remote injection of unsanitized HTML popups can lead to further malicious activity or user deception. Tracking uninstall events enables persistent user targeting and retargeting, violating user privacy. The large number of active extensions and installs increases the scale of impact. Distribution via grayware websites with bot protection complicates detection and removal efforts.
Mitigation Recommendations
Currently, only a handful of these malicious extensions have been removed from the Chrome Web Store; the majority remain active. Users should manually review and remove suspicious wallpaper-related Chrome extensions, especially those linked to Ovkas, Gameograf, and Kidswallpapers/Owhit. Security teams should monitor for these extensions and associated domains (chromewallpaper.com, gameograf.com, ovkas.com, owhit.com) and block or restrict access as appropriate. Since no official patch or fix is available for the Chrome Web Store ecosystem regarding this campaign, vigilance and manual removal are the primary mitigations. Check the Chrome Web Store and vendor advisories for updates on removals or additional guidance.
From 50 to 703: Expanding Unit 42's Gameograf Adware Chrome Extension Campaign
Description
A large-scale adware campaign involving over 700 Chrome extensions linked to the operators Ovkas, Gameograf, and Kidswallpapers/Owhit has been identified. These extensions, primarily wallpaper-related, engage in ad fraud by generating unauthorized ad impressions and exhibit malicious behaviors such as deleting browser IndexedDB data and injecting unsanitized HTML popups. The campaign has over 30,000 installs, with most extensions still active on the Chrome Web Store and distributed via grayware websites employing bot protection. The extensions also track uninstall events to enable retargeting. Evidence suggests the extensions were likely authored using AI coding agents. Only a few extensions have been removed so far, indicating ongoing risk to users.
Reddit Discussion
After Unit 42's report on the Chrome wallpaper extension campaign
"Ovkas" & "Gameograf"
I decided to dig into it myself and see how far the campaign actually extended.
Starting from the published IOCs, I pivoted through shared infrastructure, publishers, and code similarities. So far, I've identified 703 Chrome extensions that appear to belong to the same campaign, many of which are still live on the Chrome Web Store.
Initial Campaign: Unit 42
I've now published the full dataset MalExt.io
The dataset raises a bigger question: how large is this campaign really, and how many related extensions are still active?
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Unit 42 researchers initially tracked 50+ adware wallpaper Chrome extensions published by three accounts: Ovkas, Gameograf, and Kidswallpapers/Owhit. Further investigation expanded this to 703 extensions likely belonging to the same campaign, many still live on the Chrome Web Store. Ovkas and Gameograf appear to be operated by the same actor, sharing code templates, manifest authorship, and affiliate infrastructure, while Kidswallpapers/Owhit is a distinct but similar operator. The extensions perform ad fraud by generating forced ad impressions and redirecting users to affiliate-tracked URLs without consent. They delete IndexedDB data, which disrupts browser caching and offline functionality, and inject HTML popups remotely without sanitization. The extensions also track uninstall events via chrome.runtime.setUninstallURL to enable churn tracking and retargeting. Distribution occurs through grayware websites protected by bot defenses. The extensions display a privacy policy that omits mention of these suspicious behaviors. Analysis indicates AI-assisted development due to coding patterns and prompt echoes. Despite the scale and impact, only a few extensions have been removed from the Chrome Web Store.
Potential Impact
The campaign causes unauthorized ad impressions, resulting in ad fraud revenue for the operators. Deletion of IndexedDB data disrupts normal browser caching and offline web app functionality, potentially degrading user experience. Remote injection of unsanitized HTML popups can lead to further malicious activity or user deception. Tracking uninstall events enables persistent user targeting and retargeting, violating user privacy. The large number of active extensions and installs increases the scale of impact. Distribution via grayware websites with bot protection complicates detection and removal efforts.
Mitigation Recommendations
Currently, only a handful of these malicious extensions have been removed from the Chrome Web Store; the majority remain active. Users should manually review and remove suspicious wallpaper-related Chrome extensions, especially those linked to Ovkas, Gameograf, and Kidswallpapers/Owhit. Security teams should monitor for these extensions and associated domains (chromewallpaper.com, gameograf.com, ovkas.com, owhit.com) and block or restrict access as appropriate. Since no official patch or fix is available for the Chrome Web Store ecosystem regarding this campaign, vigilance and manual removal are the primary mitigations. Check the Chrome Web Store and vendor advisories for updates on removals or additional guidance.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":30,"reasons":["external_link","newsworthy_keywords:campaign","established_author","very_recent"],"isNewsworthy":true,"foundNewsworthy":["campaign"],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a5c7c2e2a4a8d5989342e76
Added to database: 07/19/2026, 07:26:38 UTC
Last enriched: 07/19/2026, 07:26:48 UTC
Last updated: 07/19/2026, 17:56:43 UTC
Views: 46
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.