Malicious actors are increasingly exploiting the explosive adoption of generative AI tools (e.g., ChatGPT, Claude, Gemini, Grok) to distribute browser extension-based malware. A coordinated campaign detected by LayerX Security, coined “AiFrame”, consists of 30 distinct Google Chrome extensions that masquerade as legitimate AI assistants while surreptitiously embedding remote server-controlled iframes into users’ browsers. These extensions have collectively been installed by over 260,000 users and pose serious threats to privacy and data integrity.
Threat Architecture: Remote Iframe Injection
Rather than implementing core functionality locally, AiFrame extensions rely on a full-screen iframe loaded from a remote domain (such as claude.tapnetic.pro) for their UI and logic. The injected iframe overlays the active web page, giving the appearance of a native extension interface, but all user interaction and decision logic occur outside the user’s browser environment. By outsourcing core functionality to remote backend infrastructure:
- The attacker can change the UI or behaviour at any time.
- Updates to malicious logic occur without an extension update in the Chrome Web Store.
- New capabilities — including covert data exfiltration — can be introduced silently.
This architecture breaks a foundational assumption of browser security: that reviewed extension code on the Web Store represents the runtime behaviour.
Technical Capabilities and Abuse Mechanisms
1. Page Content Extraction
When directed by the remote iframe, the extension injects a content script into the active tab and triggers data extraction via Mozilla’s Readability library. This process pulls structured content — including titles, main text, excerpts, and metadata — from users’ web pages and forwards it to the remote controller. Since this occurs on the user’s authenticated session, private and internal content can be exposed.
2. Gmail DOM Scraping
A subset of 15 AiFrame extensions includes a Gmail-specific content script that engages on mail.google.com:
- The script runs at document load (
document_start). - DOM observers monitor Gmail’s conversation UI.
- Visible email text (including drafts) is extracted via
.textContentand transmitted to the attacker’s backend.
This allows the campaign to capture email contents outside Gmail’s intended security boundary and send them to remote servers.
3. Voice Recognition API Usage
The extensions support a remote-triggered voice recognition functionality using the Web Speech API. Upon a message from the iframe, the extension activates the speech recognizer and returns transcripts to the remote page. While browser permissions may mitigate some misuse, this capability illustrates the broad reach of remote control dictated by the server.
4. Telemetry and Tracking
AiFrame extensions contain tracking pixel logic that sends install and uninstall events to third-party analytics endpoints. Although legitimate for attribution or retention analysis, this mechanism can also be abused for malicious tracking and campaign analytics.
Command & Control (C2) and Backend Infrastructure
All observed AiFrame variants communicate with a common domain, tapnetic[.]pro, which appears superficially benign but serves as the central C2 hub for remote iframe content and command logic. Each extension variant often uses a subdomain tied to impersonated branding (e.g., Claude, ChatGPT, Gemini), but the underlying API behaviours and request syntax are consistent, indicating single-entity backend control.
The use of subdomains also facilitates flexible backend segmentation and supports extension spraying — publishing multiple superficially different extensions to evade removal and reputation-based filtering.
Evasion and Persistence Tactics
AiFrame employs extension spraying — publishing a family of variants with unique IDs but identical logic — to maintain distribution even after individual takedowns. For example, a removed extension was quickly republished under a new ID while retaining the same iframe architecture and backend communications.
Indicators of Compromise (IOCs)
📌 Chrome Extension IDs and Install Counts
| Extension ID | Name | Approx. Installs |
|---|---|---|
nlhpidbjmmffhoogcennoiopekbiglbp | AI Assistant | ~50,000 |
gcfianbpjcfkafpiadmheejkokcmdkjl | Llama | ~147 |
fppbiomdkfbhgjjdmojlogeceejinadg | Gemini AI Sidebar | ~80,000 |
djhjckkfgancelbmgcamjimgphaphjdl | AI Sidebar | ~9,000 |
llojfncgbabajmdglnkbhmiebiinohek | ChatGPT Sidebar | ~10,000 |
gghdfkafnhfpaooiolhncejnlgglhkhe | AI Sidebar (variant) | ~50,000 |
cgmmcoandmabammnhfnjcakdeejbfimn | Grok | ~261 |
pgfibniplgcnccdnkhblpmmlfodijppg | ChatGBT | ~1,000 |
nkgbfengofophpmonladgaldioelckbe | Chat Bot GPT | ~426 |
baonbjckakcpgliaafcodddkoednpjgf | XAI | ~138 |
| … more minor variants … | – | – |
Note: this table is derived from the extended IOC listing in the original research.
TTP Mapping (MITRE-Aligned)
Below are the mapped common techniques observed in this campaign to analyst terminology, including:
- Resource Development / Infrastructure Acquisition — registering backend domains and subdomains.
- Masquerading — impersonating popular AI brand names to evade suspicion.
- Data Collection & Exfiltration — DOM scraping and remote forwarding of sensitive content.
- Web Communication C2 — remote iframe-driven command channels.
Security Implications and Mitigations
The AiFrame architecture represents a significant deviation from typical browser extension deployments. Because core logic is hosted remotely and rendered via injected iframes, traditional vetting at install time provides no assurance of what executes at runtime.
Recommended Defensive Actions
- Audit Installed Extensions: Regularly inventory and block extensions with broad host permissions (e.g.,
<all_urls>). - Behavior-Based Monitoring: Detect anomalous DOM scraping or network activity to external domains not directly related to extension functionality.
- Enterprise Extension Allowlisting: Only permit extensions reviewed and sanctioned at the organizational level.
- End-User Awareness: Educate users on risks of installing third-party AI assistant extensions, particularly those requesting broad access.
Conclusion
The AiFrame campaign underscores a dangerous trend in which attackers leverage the popularity and trust in AI tools to distribute malicious browser extensions. By outsourcing extension UI and logic to remote iframes, these threats evade static analysis and inject dynamic, backend-controlled malicious behaviours — including DOM extraction and telemetry exfiltration. As generative AI interfaces become more pervasive, defenders must treat browser extension ecosystems as high-risk attack surfaces and adopt behaviour-driven controls to prevent similar campaigns.
