How 23 Browser Extensions Silently Monetize ~758,000 Users' Searches
SearchJack is a coordinated campaign involving 23 deceptive Chrome browser extensions that hijack users' default search engines to monetize search traffic. These extensions disguise themselves as productivity tools, satellite imagery viewers, maps, and news readers but redirect search queries through affiliate monetization middleware, primarily Yahoo Hosted Search programs. The campaign affects approximately 758,000 users and involves 22 publishers and at least 8 monetization brokers. The extensions use manifest-only wrappers with chrome_settings_overrides and runtime obfuscation to evade detection. They also feature false privacy claims, suspicious review patterns, and anonymous publishers with fictitious corporate identities, enabling monetization of user searches without accountability.
AI Analysis
Technical Summary
SearchJack is a large-scale adware campaign consisting of 23 Chrome extensions that silently hijack users' default search engines by leveraging chrome_settings_overrides in their manifests. These extensions redirect search queries through multiple affiliate monetization brokers, mainly Yahoo Hosted Search affiliate programs, generating revenue for the operators. The extensions masquerade as legitimate tools but employ runtime obfuscation to avoid static analysis detection. The campaign impacts roughly 758,000 users across 22 publishers and uses at least 8 distinct monetization brokers. False privacy claims and anomalous review patterns help maintain the extensions' presence in the Chrome ecosystem despite their deceptive behavior. The operators maintain anonymity through fictional corporate identities, complicating accountability and takedown efforts.
Potential Impact
Users of the affected Chrome extensions experience silent hijacking of their default search engines, resulting in search queries being redirected through affiliate monetization brokers. This leads to unauthorized monetization of user search behavior without informed consent. While the extensions do not appear to exploit system vulnerabilities or execute direct malicious payloads, the deceptive behavior compromises user trust and privacy. The campaign affects a large user base (~758,000 users), increasing the scale of the impact. There is no indication of direct data theft or system compromise from the provided information.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Users should manually review and remove suspicious or untrusted Chrome extensions, especially those matching the described behaviors (manifest-only wrappers, search hijacking, false privacy claims). Security teams should monitor for these extensions in their environments and educate users about the risks of installing unverified browser extensions. Since this is not a software vulnerability but a deceptive campaign, remediation involves user awareness and extension management rather than patching. Check the referenced report (https://malext.io/reports/SearchJack) for updated detection and removal guidance.
Indicators of Compromise
- url: http://searchtoggler.com/ext/search
- url: https://bestfreemaps.com/search-direction.php?q=
- url: https://bestfreemaps.com/search-earth-de.php?q=
- url: https://earth3d.net/admin/public/link?q=
- url: https://earthapp.net/admin/public/link?q=
- url: https://freshfruittab.com/search?q=
- url: https://greatstartapp.com/serp.php?v=1.0.1&id=mccmkaicbneobeclkbloeoopcfeipmio&q=
- url: https://loginonlineapp.com/admin/public/link?q=
- url: https://myfocalfind.com/search?q=
- url: https://myperfecttab.com/search/?q=
- url: https://myvideolibrary.info/search.php?q=
- url: https://nautilus-notes.com/search?q=
- url: https://newtab.club/search?q=
- url: https://oasrchrdr.com?dgd=RD1005461&PCSF=true&q=
- url: https://query.quicksearchtool.com/s?query=
- url: https://s.fusebase-search.com/search?q=
- url: https://search.freshysearch-api.net/search/
- url: https://search.getbettersearch-api.com/search/
- url: https://searchanything.co/search.html?q=
- url: https://searchtoggler.com/ext/search?src=default&q=
- url: https://seek.searchthatweb.com?PCSF=true&q=
- url: https://services.templatesearch-svc.org/search/
- url: https://viewmenuprices.com/auto-suggest/search.php?q=
- url: https://wanderlustar.com/k?source=7023.139&kw=
- domain: query.quicksearchtool.com
- domain: s.fusebase-search.com
- domain: search.freshysearch-api.net
- domain: search.getbettersearch-api.com
- domain: services.templatesearch-svc.org
How 23 Browser Extensions Silently Monetize ~758,000 Users' Searches
Description
SearchJack is a coordinated campaign involving 23 deceptive Chrome browser extensions that hijack users' default search engines to monetize search traffic. These extensions disguise themselves as productivity tools, satellite imagery viewers, maps, and news readers but redirect search queries through affiliate monetization middleware, primarily Yahoo Hosted Search programs. The campaign affects approximately 758,000 users and involves 22 publishers and at least 8 monetization brokers. The extensions use manifest-only wrappers with chrome_settings_overrides and runtime obfuscation to evade detection. They also feature false privacy claims, suspicious review patterns, and anonymous publishers with fictitious corporate identities, enabling monetization of user searches without accountability.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
SearchJack is a large-scale adware campaign consisting of 23 Chrome extensions that silently hijack users' default search engines by leveraging chrome_settings_overrides in their manifests. These extensions redirect search queries through multiple affiliate monetization brokers, mainly Yahoo Hosted Search affiliate programs, generating revenue for the operators. The extensions masquerade as legitimate tools but employ runtime obfuscation to avoid static analysis detection. The campaign impacts roughly 758,000 users across 22 publishers and uses at least 8 distinct monetization brokers. False privacy claims and anomalous review patterns help maintain the extensions' presence in the Chrome ecosystem despite their deceptive behavior. The operators maintain anonymity through fictional corporate identities, complicating accountability and takedown efforts.
Potential Impact
Users of the affected Chrome extensions experience silent hijacking of their default search engines, resulting in search queries being redirected through affiliate monetization brokers. This leads to unauthorized monetization of user search behavior without informed consent. While the extensions do not appear to exploit system vulnerabilities or execute direct malicious payloads, the deceptive behavior compromises user trust and privacy. The campaign affects a large user base (~758,000 users), increasing the scale of the impact. There is no indication of direct data theft or system compromise from the provided information.
Mitigation Recommendations
No official patch or vendor advisory is available for this campaign. Users should manually review and remove suspicious or untrusted Chrome extensions, especially those matching the described behaviors (manifest-only wrappers, search hijacking, false privacy claims). Security teams should monitor for these extensions in their environments and educate users about the risks of installing unverified browser extensions. Since this is not a software vulnerability but a deceptive campaign, remediation involves user awareness and extension management rather than patching. Check the referenced report (https://malext.io/reports/SearchJack) for updated detection and removal guidance.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://malext.io/reports/SearchJack"]
- Adversary
- null
- Pulse Id
- 6a30130a4f8994fe9cb1c31a
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://searchtoggler.com/ext/search | — | |
urlhttps://bestfreemaps.com/search-direction.php?q= | — | |
urlhttps://bestfreemaps.com/search-earth-de.php?q= | — | |
urlhttps://earth3d.net/admin/public/link?q= | — | |
urlhttps://earthapp.net/admin/public/link?q= | — | |
urlhttps://freshfruittab.com/search?q= | — | |
urlhttps://greatstartapp.com/serp.php?v=1.0.1&id=mccmkaicbneobeclkbloeoopcfeipmio&q= | — | |
urlhttps://loginonlineapp.com/admin/public/link?q= | — | |
urlhttps://myfocalfind.com/search?q= | — | |
urlhttps://myperfecttab.com/search/?q= | — | |
urlhttps://myvideolibrary.info/search.php?q= | — | |
urlhttps://nautilus-notes.com/search?q= | — | |
urlhttps://newtab.club/search?q= | — | |
urlhttps://oasrchrdr.com?dgd=RD1005461&PCSF=true&q= | — | |
urlhttps://query.quicksearchtool.com/s?query= | — | |
urlhttps://s.fusebase-search.com/search?q= | — | |
urlhttps://search.freshysearch-api.net/search/ | — | |
urlhttps://search.getbettersearch-api.com/search/ | — | |
urlhttps://searchanything.co/search.html?q= | — | |
urlhttps://searchtoggler.com/ext/search?src=default&q= | — | |
urlhttps://seek.searchthatweb.com?PCSF=true&q= | — | |
urlhttps://services.templatesearch-svc.org/search/ | — | |
urlhttps://viewmenuprices.com/auto-suggest/search.php?q= | — | |
urlhttps://wanderlustar.com/k?source=7023.139&kw= | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainquery.quicksearchtool.com | — | |
domains.fusebase-search.com | — | |
domainsearch.freshysearch-api.net | — | |
domainsearch.getbettersearch-api.com | — | |
domainservices.templatesearch-svc.org | — |
Threat ID: 6a3036a80b89be6888612a8d
Added to database: 6/15/2026, 5:30:16 PM
Last enriched: 6/15/2026, 5:45:34 PM
Last updated: 6/15/2026, 6:39:17 PM
Views: 11
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.