The AiFrame campaign involves a malicious Chrome extension masquerading as Google's Authenticator application. It requests broad permissions and includes dormant components that allow attackers to push malicious updates without further user consent. This extension is connected to a cluster of at least six extensions sharing a developer front, with two confirmed to have fully operational malicious payloads. The extensions exploit hidden iframes to inject attacker-controlled content into web pages, implement fraudulent paywalls to monetize free services, and establish bidirectional communication with command and control infrastructure. The campaign has been active since 2025, compromising over 260,000 users, and represents a sophisticated, evolving threat targeting browser security and two-factor authentication mechanisms.

Users of the malicious Chrome extension risk unauthorized access to their credentials and two-factor authentication data due to iframe injection and credential theft techniques. The fraudulent paywalls disrupt legitimate access to free services, potentially causing financial loss or service denial. The staged deployment model allows attackers to update the extension with new malicious capabilities without user approval, increasing the threat's persistence and adaptability. The campaign's scale, with over 260,000 compromised users, indicates significant impact on user security and privacy.

No official patch or remediation is currently available for this threat. Users should immediately uninstall any suspicious or unverified Chrome extensions, especially those impersonating legitimate authentication apps. Avoid granting excessive permissions to browser extensions and verify developer authenticity before installation. Monitor for updates from browser vendors or security advisories regarding this campaign. Since this is not a cloud service, remediation depends on user action and browser security controls.