CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 15, 2026

SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users

Cybersecurity News Archived Jun 15, 2026 ✓ Full text saved

A coordinated campaign of 23 deceptive Chrome browser extensions has been quietly stealing users’ search queries and routing them through hidden revenue systems. The operation, now dubbed SearchJack, has affected roughly 758,000 Chrome users worldwide without any of them realizing their searches were being hijacked. Each extension presents itself as a useful tool, from satellite […] The post SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches of 758,000 Users By Tushar Subhra Dutta June 15, 2026 A coordinated campaign of 23 deceptive Chrome browser extensions has been quietly stealing users’ search queries and routing them through hidden revenue systems. The operation, now dubbed SearchJack, has affected roughly 758,000 Chrome users worldwide without any of them realizing their searches were being hijacked. Each extension presents itself as a useful tool, from satellite maps to productivity apps, while silently running a different operation in the background. The way these extensions work is straightforward but difficult to detect. Once installed, they override the browser’s default search engine using a built-in Chrome feature called chrome_settings_overrides. When a user types a query, it passes through operator-controlled relay servers before landing on a results page. The user sees what looks like a normal search, but every query has already passed through a monetization layer they never agreed to. Researchers at MalExt Sentry identified the campaign using their automated scanning system, which monitors Chrome extension listings for suspicious activity. According to MalExt Sentry’s report shared with Cyber Security News (CSN), MalExt Sentry said the scanner specifically flagged extensions abusing the chrome_settings_overrides manifest key to take over search settings. The team traced at least eight distinct affiliate brokers, each identified by a unique tracking parameter in the final Yahoo redirect URL. What makes SearchJack hard to spot is the gap between what extensions claim and what they actually do. One extension, Nautilus Search, tells users in its store listing that it never tracks searches or collects personal data. Yet the linked privacy policy explicitly discloses collection of IP addresses, search queries, and device identifiers. That is not an oversight. It is a direct false claim, potentially actionable under both GDPR and FTC frameworks. The scale of this campaign raises concerns beyond misleading store descriptions. Since the operators control where search traffic flows, they can quietly switch from delivering normal results to serving phishing pages or malicious downloads without ever pushing an update to the extension. That ability to escalate harm without touching the code is what elevates SearchJack from adware to a genuine security risk. SearchJack Campaign Uses 23 Chrome Extensions The technical backbone of SearchJack is built on a layered redirect system designed to stay completely invisible. Most extensions are what researchers call shell extensions, containing almost nothing beyond the manifest file that sets the new default search engine. There is no background script, no permission request, and no visible signal that anything unusual is happening. The same structural template appears across multiple extensions, with only the domain and icon swapped out. A smaller group adds fake functionality, such as a basic maps viewer or video library, to pass store review and make the install feel legitimate. These features are barely functional but enough to avoid automated removal. One extension, Search Toggler, shows users an interface that appears to let them switch between search engines. In practice, all queries still pass through the operator’s server regardless of selection, and the actual routing logic is only injected at runtime, making it invisible to standard analysis tools. The Broker Network Enabling the Campaign Behind every extension sits a broker holding a revenue-sharing agreement with Yahoo’s search affiliate program, collecting a cut each time a user searches. The campaign spans eight such brokers, with the largest block tied to an unidentified operator. Some brokers, like Becovi Ltd based in Dublin, are at least partially traceable. Others have no verifiable identity, making accountability nearly impossible. One unusual case involves Fusebase Search, published under a legitimate company name, showing 609 reviews against only 490 current installs. That ratio is mathematically impossible under normal conditions and points to either review manipulation or a prior policy violation that reset the install count. Researchers recommend enforcement action at the broker level rather than targeting individual extensions, since extensions are disposable but affiliate accounts are not. Users should audit their installed extensions, remove anything unfamiliar, and manually reset their default search engine in Chrome settings. Indicators of Compromise (IoCs):- Type Indicator Description Domain myperfecttab[.]com PerfecTab Search redirect domain Domain query.quicksearchtool[.]com Quick Search Tool redirect domain Domain search.getbettersearch-api[.]com Better Search redirect domain Domain newtab[.]club NewTab.Search redirect domain Domain nautilus-notes[.]com Nautilus Search redirect domain Domain earthapp[.]net Earth extension redirect domain (infospace broker) Domain wanderlustar[.]com Wanderlustar redirect domain Domain services.templatesearchsvc[.]org Template Search redirect domain Domain earth3d[.]net Earth 3D redirect domain (infospace broker) Domain myfocalfind[.]com My Focal Find redirect domain Domain greatstartapp[.]com Great Start redirect domain (becovi broker) Domain freshfruittab[.]com Fresh Fruit Search redirect domain Domain viewmenuprices[.]com View Menu with Prices redirect domain (infospace broker) Domain searchtoggler[.]com Search Toggler operator domain Domain loginonlineapp[.]com Easy Login redirect domain (infospace broker) Domain seek.searchthatweb[.]com SearchThatWeb redirect domain Domain search.freshysearchapi[.]net Freshy Search redirect domain (trp broker) Domain myvideolibrary[.]info Video Search Extension redirect domain Domain bestfreemaps[.]com Get Maps & Driving Directions + Satelliten Earth redirect domain Domain searchanything[.]co Search Anything redirect domain (mnet broker) Domain oasrchrdr[.]com Surfer Search redirect domain (fc broker) Domain s.fusebasesearch[.]com Fusebase Search redirect domain (dcola broker) Domain worthathousandwords[.]com Search Toggler contact email domain Extension ID hohedjmdoemgcpgdapepfhnilbedldnm PerfecTab Search (Chrome Extension ID) Extension ID keadechokmcohlcampccppbjjeabghcd Quick Search Tool (Chrome Extension ID) Extension ID epdmngmgidehpmhjamdjcaecpligmcfh Better Search (Chrome Extension ID) Extension ID pookachmhghnpgjhebhilcidgdphdlhi NewTab.Search (Chrome Extension ID) Extension ID flcaigefphghbcgbmfngbfdgipdflfpn Nautilus Search (Chrome Extension ID) Extension ID hnfdneofpohlkoeljnmkdocokcdk jiaa Earth (Chrome Extension ID) Extension ID bgliakflmjnofiolfmnbncdmgfnibgnj Wanderlustar (Chrome Extension ID) Extension ID cnkcgoiimpncbonlilkekbigfhchcbgb Template Search (Chrome Extension ID) Extension ID kbobdmmjbaljcombpliahadgoafgohcd Earth 3D (Chrome Extension ID) Extension ID eeejfmalgedffijdepcdmgemfnadjefe My Focal Find (Chrome Extension ID) Extension ID mccmkaicbneobeclkbloeoopcfeipmio Great Start (Chrome Extension ID) Extension ID jeookppofphgjnhjkifeejcmjbpiogka Fresh Fruit Search (Chrome Extension ID) Extension ID ijbmkpeacbkgpfkomjbionjgdhbmlpfp View Menu with Prices (Chrome Extension ID) Extension ID hodgcolihbmeagfcfpdfpnapfflmpbkb Search Toggler (Chrome Extension ID) Extension ID cpmjnpalighpdecgankobogpcmbceaig Easy Login (Chrome Extension ID) Extension ID akimdaijebpdfo jiohhimbebkdigkccj SearchThatWeb (Chrome Extension ID) Extension ID oikgbpcmdphfkhplgkfngjilemlo lann Freshy Search (Chrome Extension ID) Extension ID efakcomgmimcekdejnoafmmbgnpdhdfm Video Search Extension (Chrome Extension ID) Extension ID gmapdckphdmbafmmcfoahhgoogdjeell Get Maps & Driving Directions (Chrome Extension ID) Extension ID odafhekandnacimkenmaagnoemnpaakk Search Anything (Chrome Extension ID) Extension ID jgoihmjphghpnjedflgemmhjdaogimad Satelliten Earth (Chrome Extension ID) Extension ID dllhnjhfilgcjopkgdekmdmfilpfceig Surfer Search (Chrome Extension ID) Extension ID ododhdcefemfdbnidbeipjpjaehadjen Fusebase Search (Chrome Extension ID) URL Parameter hspart=trp Broker tracking parameter — unknown operator URL Parameter hspart=infospace Broker tracking parameter — System1 URL Parameter hspart=flowsurf Broker tracking parameter — unknown operator URL Parameter hspart=adk Broker tracking parameter — unknown operator URL Parameter hspart=becovi Broker tracking parameter — Becovi Ltd, Dublin URL Parameter hspart=imageadvan Broker tracking parameter — unknown operator URL Parameter hspart=mnet Broker tracking parameter — unknown operator URL Parameter hspart=fc Broker tracking parameter — unknown operator URL Parameter hspart=dcola Broker tracking parameter — unknown operator Email edgarlife1980[@]gmail[.]com Publisher account for Earth 3D extension Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Fortinet FortiSandbox Vulnerability Allows Attackers to Execute Unauthorized Commands Windows BitLocker 0-Day Vulnerability Allows Attackers to Bypass Security Feature New Shai-Hulud Attack Compromises 23 PyPI Packages to Target MCP Developers Anthropic’s Claude Fable 5 Alleged Jailbreak to Generate Stack Exploits Palo Alto PAN-OS Vulnerability Allows Attackers to Execute Arbitrary Commands as Root User Latest News Cyber Security News Hackers Abuse LNK Files, PowerShell, and Python Loader to Deploy NarwhalRAT Cyber Security News Windows 11 Update KB5094126 Freezes Systems, Forces BitLocker Recovery, and More Cyber Security News Critical Wazuh Vulnerability Lets Attackers Tamper with Alerts and Delete Security Evidence Cyber Security SecSuite – AI-powered Tool for OSINT, Web and API Security Testing Cyber Security News WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 15, 2026
    Archived
    Jun 15, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗