Back to Intelligence

Compromised QuickLens Extension Hijacked to Deliver Crypto-Stealing Malware via ClickFix

SA
Security Arsenal Team
March 1, 2026
5 min read

In the modern digital landscape, browser extensions have become indispensable tools for productivity. However, their deep integration into our daily browsing makes them a prime target for threat actors seeking a trusted foothold. Recently, the cybersecurity community was alerted to a concerning supply chain attack involving the "QuickLens - Search Screen with Google Lens" extension. This utility, previously considered safe, was compromised and transformed into a delivery mechanism for malware designed to siphon cryptocurrency from unsuspecting users.

This incident serves as a stark reminder that the integrity of software supply chains—even within the curated walls of the Chrome Web Store—can be fragile. Let's break down the mechanics of this attack, the tactics used by the actors, and how your organization can hunt for similar threats.

The Attack Vector: From Utility to Malware

The QuickLens attack is a classic example of a supply chain compromise. The threat actors managed to gain access to the developer's account or hijack the update mechanism. Once inside, they pushed a malicious update to thousands of active users. Because the update originated from a trusted source with an established user base, standard security warnings were bypassed, and the malware was installed automatically.

The ClickFix Technique

What makes this campaign particularly insidious is the use of a "ClickFix" attack vector. Unlike traditional malware that executes silently in the background, ClickFix relies on social engineering and active user participation to bypass heuristic detection.

  1. The Fake Error: Upon infection or visiting specific targets, the extension triggers a convincing, fake error message within the browser (often mimicking Google Chrome or Windows system alerts).
  2. The Call to Action: The alert claims that the user's system is compromised, disconnected, or requires an update. It provides a "solution": a PowerShell or Bash command.
  3. Execution: The user is instructed to copy the script and run it in their terminal. This action often fetches a second-stage payload, such as a clipboard modifier or a cookie stealer aimed at cryptocurrency wallets.

By tricking the user into running the command manually, the attackers effectively turn the victim into an unwitting accomplice, bypassing automated sandbox defenses that look for unauthorized code execution.

Technical Analysis and TTPs

The malware associated with the QuickLens compromise primarily targets cryptocurrency assets. Tactics, Techniques, and Procedures (TTPs) observed in this campaign include:

  • Clipboarding: Monitoring the clipboard for addresses that match cryptocurrency wallet formats and replacing them with the attacker's address at the moment of a transaction.
  • Cookie Theft: Extracting session cookies from crypto exchanges and wallets to bypass Multi-Factor Authentication (MFA).
  • C2 Communication: Establishing connections to Command and Control (C2) servers to receive instructions and update malicious configurations.

Detection and Threat Hunting

Detecting browser extension compromises requires a multi-layered approach. Below are specific queries and scripts to help your security team identify potential indicators of compromise (IoC) related to ClickFix behavior and malicious extension activity.

KQL Query for Sentinel/Defender

Use this KQL query to hunt for suspicious PowerShell launches initiated by browser processes—a strong indicator of ClickFix activity.

Script / Code
DeviceProcessEvents
| where InitiatingProcessFileName in ("chrome.exe", "msedge.exe", "firefox.exe")
| where FileName in ("powershell.exe", "pwsh.exe", "cmd.exe")
| where ProcessCommandLine has_any ("copy", "paste", "iex", "Invoke-Expression", "DownloadString")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine, FolderPath
| order by Timestamp desc

PowerShell Script for Extension Audit

This script scans the local Chrome extension directories for extensions recently modified that are not part of the standard enterprise policy. This helps identify unauthorized or recently updated extensions that might be malicious.

Script / Code
# Script to audit recently modified Chrome Extensions
$ExtensionBasePath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$DaysToScan = 7

if (Test-Path $ExtensionBasePath) {
    Write-Host "Scanning for Chrome extensions modified in the last $DaysToScan days..." -ForegroundColor Cyan
    
    # Get all profile directories
    $Profiles = Get-ChildItem -Path $ExtensionBasePath -Directory | Where-Object { $_.Name -match "Default|Profile" }
    
    foreach ($Profile in $Profiles) {
        $ExtPath = Join-Path -Path $Profile.FullName -ChildPath "Extensions"
        if (Test-Path $ExtPath) {
            # Find .js files modified recently
            $SuspiciousFiles = Get-ChildItem -Path $ExtPath -Recurse -Filter "*.js" -ErrorAction SilentlyContinue | 
                Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-$DaysToScan) }
            
            if ($SuspiciousFiles) {
                Write-Host "Warning: Recent activity found in profile: $($Profile.Name)" -ForegroundColor Yellow
                $SuspiciousFiles | ForEach-Object {
                    Write-Host "File: $($_.FullName) | Modified: $($_.LastWriteTime)" -ForegroundColor White
                }
            }
        }
    }
} else {
    Write-Host "Chrome installation not found at standard path." -ForegroundColor Red
}

YAML Detection Rule (Sigma)

Below is a Sigma rule concept to detect the ClickFix pattern of browser-spawned shells.

Script / Code
title: Potential ClickFix Activity via Browser Spawned Shell
description: Detects when a browser process spawns a shell process with suspicious arguments often used in ClickFix attacks.
status: experimental
date: 2023/10/27
author: Security Arsenal
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
    CommandLine|contains:
      - 'iex'
      - 'DownloadString'
      - 'copy'
  condition: selection
falsepositives:
  - Legitimate developer tools
level: high

Mitigation Strategies

To protect your organization from similar supply chain and extension-based attacks, implement the following measures:

  1. Immediate Removal: If the QuickLens extension is found in your environment, remove it immediately. Ensure users clear their browser cache and cookies post-removal.
  2. Enterprise Allowlisting: Utilize Chrome Enterprise policies to enforce an allowlist of approved extensions. Block the installation of any add-ons not explicitly vetted by your IT department.
  3. User Education: Train employees to recognize ClickFix tactics. Emphasize that legitimate system errors will never ask users to copy and paste code into a terminal window.
  4. Regular Audits: Conduct quarterly audits of installed browser extensions across endpoints. Remove any unused or unnecessary plugins to reduce the attack surface.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicschrome-extensionsclickfixcrypto-stealerbrowser-securitysupply-chain-attack

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action