Unit 42 Uncovers Malicious AI Browser Extensions Acting as RATs and Infostealers

Executive Summary

Security researchers at Palo Alto Networks Unit 42 have identified a significant and emerging threat vector: malicious browser extensions disguised as Generative AI (GenAI) productivity aids. At least 18 such extensions were discovered and reported to Google, which have since been removed or flagged. These extensions trick users into granting extensive permissions by promising AI-powered features. In reality, they deploy a range of malware including Remote Access Trojans (RATs), infostealers, and Attacker-in-the-Browser (AitB) tools. The primary goal is to steal sensitive data, such as credentials, proprietary information entered into AI prompts, and session cookies. This threat represents a critical risk for organizations, as compromised browsers can lead to the exfiltration of corporate data and provide a foothold for broader network intrusion.

Threat Overview

Leveraging the widespread adoption of GenAI tools, threat actors are packaging established malware techniques into deceptive browser extensions. These extensions, marketed with names suggesting AI integration for email, browsing, and content creation, exploit the trust users place in productivity applications. Once installed, they abuse the browser's permission model to conduct malicious activities.

Unit 42 categorized the malicious behaviors into six main types: RATs, AitB, spyware, search hijackers, infostealers, and MitM proxies. A key finding is the targeting of data entered into AI service prompts. As employees increasingly use Large Language Models (LLMs) for work—drafting emails, writing code, and developing strategies—these prompts become a treasure trove of sensitive corporate information. By intercepting these prompts, attackers can steal intellectual property, internal communications, and strategic plans directly from the source. The research also noted that some of the malicious code itself appeared to be AI-generated, indicating that attackers are using LLMs to accelerate their own development cycles.

Technical Analysis

Malicious browser extensions operate within the browser's trusted security context, making them a powerful tool for attackers. They use legitimate browser APIs to perform malicious actions, often bypassing traditional network-based security controls.

Attack Vector

The primary attack vector is social engineering, luring users to install the extension from the Chrome Web Store or other marketplaces. The extensions request broad permissions, such as access to <all_urls>, debugger, and webRequest, justifying them as necessary for their advertised AI functionality.

Case Study 1: Chrome MCP Server - AI Browser Control (RAT)

This extension, Chrome MCP Server - AI Browser Control, functions as a full-featured Remote Access Trojan. Despite its store description claiming "100% local processing," the extension contains a hardcoded WebSocket C2 address: wss[:]//mcp-browser.qubecare[.]ai/chrome.

1. Connection: Upon user interaction, it establishes a persistent WebSocket connection to the C2 server.
2. Command Execution: The extension can receive and execute over 30 remote commands. It uses the dangerous new Function() pattern to execute arbitrary JavaScript received from the C2 server within the context of the user's active tab.
3. Impact: This allows the attacker to perform any action the user can, such as accessing authenticated corporate portals, online banking, or email accounts. This is a form of T1059.007 - JavaScript.

Case Study 2: Supersonic AI (Attacker-in-the-Browser)

This extension, Supersonic AI, markets itself as an AI email assistant for Gmail and Outlook. It uses an Attacker-in-the-Browser (AitB) technique to steal data.

1. Data Collection: A content script injected into the page reads the Document Object Model (DOM) of the user's email client.
2. Exfiltration: It collects comprehensive email data—including sender, recipients, subject, and full body content—and exfiltrates it to an external server. This bypasses network security that might look for malicious attachments, as it steals data directly from the rendered page.

MITRE ATT&CK Techniques

The observed behaviors map to the following MITRE ATT&CK techniques:

Impact Assessment

The business impact of these malicious extensions is severe and multifaceted:

• Data Breach: Direct theft of sensitive corporate data, including intellectual property, financial records, customer lists, and strategic plans that are input into GenAI services.
• Credential Compromise: Stolen credentials and session tokens can be used to gain unauthorized access to corporate networks, cloud environments, and other critical systems, leading to wider breaches.
• Financial Loss: Unauthorized access to financial accounts or corporate systems can result in direct financial theft.
• Compliance Violations: The exfiltration of customer or employee PII can lead to significant fines under regulations like GDPR and CCPA.
• Reputational Damage: A public breach originating from employee use of unvetted tools can erode customer trust and damage the company's brand.

IOCs — Directly from Articles

The following Indicator of Compromise was explicitly mentioned in the source article.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect related activity:

Detection & Response

Detecting and responding to this threat requires a multi-layered approach focusing on the endpoint and network.

• Endpoint Detection (EDR): Deploy EDR solutions to monitor browser processes for suspicious behavior. Create rules to alert on browser helper objects or extensions writing to disk, spawning new processes (like powershell.exe), or making suspicious network connections. For detection, D3FEND's Process Analysis can be applied to baseline normal browser behavior and flag anomalies.
• Network Monitoring: Implement Network Traffic Analysis (D3-NTA). Monitor for and alert on WebSocket connections to untrusted or newly registered domains. Use SSL/TLS inspection to gain visibility into encrypted traffic where possible, and block known malicious domains and IPs at the network perimeter.
• Browser Auditing: Regularly audit installed browser extensions across the enterprise. Use enterprise browser management tools to query for extensions with high-risk permissions. Cross-reference installed extension IDs against threat intelligence feeds.
• Incident Response: If a malicious extension is found, the response plan should include: isolating the affected host, revoking all user credentials and active sessions, preserving the endpoint for forensics, and analyzing proxy/firewall logs to determine the scope of data exfiltration.

Mitigation

Organizations should implement a combination of technical controls and user awareness to mitigate this threat.

1. Restrict Extension Installation: Use enterprise browser management policies (e.g., Chrome Browser Cloud Management, Microsoft Edge policies) to enforce an allowlist of approved extensions. This is the most effective technical control. This corresponds to MITRE ATT&CK Mitigation M1033 - Limit Software Installation.
2. User Education and Training: Train users to be skeptical of extensions, especially those requesting broad permissions. Teach them to scrutinize permissions dialogues and understand the risks of granting access to 'all website data'. This aligns with M1017 - User Training.
3. Principle of Least Privilege: Apply the principle of least privilege to user accounts to limit the impact of a compromise. Avoid having users operate with local administrator rights.
4. Regular Audits: Implement a process to regularly audit and review installed browser extensions and their permissions across the organization. This aligns with M1047 - Audit.
5. Network Segmentation: Segment networks to prevent lateral movement from a compromised user workstation to critical servers. This aligns with M1030 - Network Segmentation.