Back to Intelligence

Malicious Perplexity Chrome Extension: Hunting Search Interception Malware

SA
Security Arsenal Team
June 29, 2026
5 min read

Microsoft recently disclosed the discovery of a malicious Google Chrome extension masquerading as the popular Perplexity AI search engine. This extension was not merely a nuisance; it actively targeted user privacy by intercepting every character typed into the address bar and logging all search queries. Before redirecting users to legitimate results, the malware routed this sensitive telemetry through an attacker-controlled server, facilitating potential credential theft and extensive user profiling.

Although Google has removed this specific extension from the Web Store following responsible disclosure, the persistence mechanisms and the abuse of browser extensions remain a critical vector for initial access and data exfiltration. Defenders must assume that similar extensions or variants remain in the wild or are already installed in user environments.

Technical Analysis

Threat Type: Malicious Browser Extension (Trojan) Target Platform: Google Chrome (Windows, macOS, Linux) Mechanism: Man-in-the-Middle (MitM) via Browser Extension API

The extension functions by abusing the browser's chrome omnibox API and standard web request listeners. Upon installation, it registers listeners for navigation and input events. Every keystroke in the address bar (OMNIBOX_INPUT_CHANGED) and every search query submission are captured.

  • Data Exfiltration: The captured data is serialized and transmitted via HTTP/HTTPS POST requests to a command-and-control (C2) server under the attacker's control.
  • Redirection: After exfiltration, the extension allows the original request to proceed, forwarding the traffic to the intended destination (e.g., Google, Bing, or Perplexity) to avoid immediate detection by the user.
  • Persistence: The extension persists within the user profile directory of Chrome. In enterprise environments, these extensions are often forced via Group Policy Objects (GPO) registry keys, making manual removal difficult for standard users.

Exploitation Status: Confirmed Active. The extension was live in the Chrome Web Store and has been observed logging sensitive data before interception by Microsoft.

Detection & Response

Detecting malicious browser extensions requires a shift from traditional process monitoring to file-system analysis and network telemetry. Because the extension runs within the browser process (chrome.exe), process-based EDR alerts are often insufficient.

SIGMA Rules

The following rules detect the creation of files in the Chrome Extensions directory (a common indicator of new extension installation) and modifications to registry keys used for force-installing extensions.

YAML
---
title: Chrome Extension Installation - File Creation
id: 89c4a12b-5f7e-4b6c-9a1d-2f3b4c5d6e7f
status: experimental
description: Detects the creation of new files in the Chrome User Extensions directory, indicating a potential new extension installation.
references:
 - https://attack.mitre.org/techniques/T1179/
author: Security Arsenal
date: 2026/06/02
tags:
 - attack.persistence
 - attack.t1179
logsource:
 category: file_create
 product: windows
detection:
 selection:
    TargetFilename|contains: '\Google\Chrome\User Data\Default\Extensions\'
 condition: selection
falsepositives:
  - Legitimate browser extension updates or user installations
level: low
---
title: Chrome Extension Force Install via Registry
id: 1a2b3c4d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects modifications to the registry that force-install Chrome extensions, often used by malware to maintain persistence.
references:
 - https://attack.mitre.org/techniques/T1546/015/
author: Security Arsenal
date: 2026/06/02
tags:
 - attack.persistence
 - attack.t1546.015
logsource:
 category: registry_set
 product: windows
detection:
 selection:
    TargetObject|contains:
      - '\Software\Policies\Google\Chrome\ExtensionInstallForcelist'
      - '\Software\Google\Chrome\Extensions'
 condition: selection
falsepositives:
  - Administrative installation of legitimate corporate extensions
level: medium

KQL (Microsoft Sentinel / Defender)

Hunt for recently added extension folders or network connections from Chrome to suspicious endpoints that correlate with search activity.

KQL — Microsoft Sentinel / Defender
// Hunt for recent creation of Extension folders
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains @"Google\Chrome\User Data" and FolderPath contains @"Extensions"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FileName, FolderPath, SHA256
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for manifest. files within the Chrome Extensions directory to identify recently installed extensions and audit their permissions (specifically looking for aggressive permissions like history or tabs often used in interception malware).

VQL — Velociraptor
-- Hunt for recently modified Chrome Extension Manifests
SELECT Mtime, FullPath,
  parse_(Data).name AS Name,
  parse_(Data).version AS Version,
  parse_(Data).permissions AS Permissions
FROM read_file(filenames=glob(globs='*/Chrome/User Data/*/Extensions/*/manifest.'))
WHERE Mtime > ago(now - 7d)

Remediation Script (PowerShell)

Use this script to audit the registry for force-installed extensions and list all installed extensions in the default Chrome user profile.

PowerShell
# Audit Chrome Extensions and Force-Install Policies
Write-Host "[+] Auditing Chrome Extension Policies..."
$forceInstallPath = "HKLM:\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForcelist"
if (Test-Path $forceInstallPath) {
    Get-Item $forceInstallPath | Select-Object -ExpandProperty Property | ForEach-Object {
        Write-Host "[!] Force-Installed Extension ID: $_"
    }
} else {
    Write-Host "[-] No force-install policies found."
}

Write-Host "[+] Listing Extensions in Default Profile..."
$extPath = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions"
if (Test-Path $extPath) {
    # Get all folders modified in the last 30 days
    Get-ChildItem $extPath -Recurse -Filter "manifest." | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) } | 
    Select-Object FullName, LastWriteTime | 
    ForEach-Object {
        Write-Host "[!] Recently Modified Extension: $($_.FullName)"
    }
} else {
    Write-Host "[-] Chrome extensions directory not found."
}

Remediation

  1. Immediate Removal: Instruct users to navigate to chrome://extensions/, identify the extension posing as "Perplexity" (or any unrecognized extension), and click "Remove".
  2. Verify Clean State: Ensure no extensions remain in the "Developer Mode" list that users do not explicitly recognize.
  3. Group Policy Review: Security teams must audit the ExtensionInstallForcelist in Group Policy Management to ensure no malicious extensions are being pushed centrally.
  4. User Education: Advise users against sideloading extensions or accepting prompts to install extensions from unknown sources, even if they mimic popular AI tools.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiembrowser-extensionchromedata-exfiltration

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action