18 AI Browser Extensions Found Functioning as RATs and Infostealers
Unit 42 identified 18 AI-themed browser extensions that operate as remote access Trojans, meddler-in-the-middle tools, and infostealers, intercepting emails, ChatGPT prompts, and passwords.
Unit 42 researchers have uncovered 18 AI-themed browser extensions that are actually malicious tools designed to steal sensitive data. Marketed as productivity aids, these extensions function as remote access Trojans (RATs), meddler-in-the-middle (MitM) proxies, and infostealers. They intercept API calls, monitor DOM changes, proxy traffic, and decrypt HTTPS responses to exfiltrate emails, ChatGPT prompts, and passwords. Some samples contain AI-generated code, indicating that threat actors used large language models (LLMs) to accelerate malware development.
The extensions exploit the privileged position of browser extensions, which operate within the browser's trusted process with user-granted permissions. They can read and modify web content, intercept network requests, access cookies, and communicate with external servers. Techniques include WebSocket-based command-and-control (C2) channels, browser API hooking, DOM-based exfiltration, dynamic proxy configuration, and cross-storage persistence with active restoration. These methods allow the extensions to maintain persistent access and evade detection.
The impact is significant because users often type proprietary code, draft communications, and strategic plans into AI services. An extension positioned between the user and an AI service can intercept this highly valuable data. The researchers noted that the data targeted is far more valuable than the browsing metadata typically stolen by browser malware. The extensions were reported to Google, which removed them or sent warnings to the owners for policy violations.
Organizations and individual users are advised to exercise caution by sourcing extensions only from trusted providers and adhering to the principle of least privilege. Users must scrutinize requested permissions, as granting broad access to browser data can authorize the interception of sensitive credentials and proprietary session information. Palo Alto Networks customers are protected through products like Advanced URL Filtering, Advanced DNS Security, Prisma Browser, Advanced WildFire, and Prisma AIRS.
This discovery highlights the growing risk of AI-themed lures in malware campaigns. As generative AI tools become more popular, attackers are leveraging their appeal to trick users into installing malicious extensions. The use of AI-generated code in the malware itself also signals a new trend where LLMs are used to accelerate malware production, making it easier for threat actors to create sophisticated tools.
The findings underscore the need for robust browser security policies and user education. Enterprises should consider deploying browser security solutions that can detect and block malicious extensions. Regular audits of installed extensions and strict permission controls can help mitigate the risk. The research serves as a reminder that not all AI tools are trustworthy, and users should verify the legitimacy of extensions before installation.