Threat Research Center Threat Research Malware Malware That AI Extension Helping You Write Emails? It’s Reading Them First 13 min read Related Products Advanced DNS Security Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Prisma AIRS Prisma Browser Secure Access Service Edge (SASE) Unit 42 Incident Response By: Shresta Bellary Seetharam Nabeel Mohamed Billy Melicher Oleksii Starov Qinge Xie Fang Liu Published: April 30, 2026 Categories: Malware Threat Research Tags: AI browser Browser extension GenAI Infostealer Malware Remote Access Trojan Search hijacker Spyware Share Executive Summary We found 18 AI browser extensions marketed as productivity tools that are not as they seem. This group includes extensions such as: One that surveils your emails as you compose them Another that intercepts ChatGPT prompts A third that exfiltrates passwords Leveraging the rise of generative AI (GenAI), these extensions deliver remote access Trojans (RATs), meddler-in-the-middle (MitM) attacks and infostealers that target prompts, user behavior and browser sessions. Attackers blend the following established techniques with AI productivity lures: API interception Passive Document Object Model (DOM) observation Traffic proxying HTTPS response decryption Multiple samples contained AI-generated code, indicating that threat actors employed large language models (LLMs) to accelerate malware production. We specifically reported 18 high-risk extensions to Google. Google either removed the extensions or sent a warning to the owners of the extensions to address policy violations. Organizations and individual users should exercise caution by sourcing extensions only from trusted providers and adhering to the principle of least privilege. Users must scrutinize requested permissions, as granting broad access to browser data can authorize the interception of sensitive credentials and proprietary session information. Palo Alto Networks customers are better protected from the threats discussed above through the following products and services: Advanced URL Filtering Advanced DNS Security Prisma Browser Advanced WildFire Prisma AIRS If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics GenAI , Infostealer , Remote Access Trojan Examples of Extensions Disguised as AI Tools We identified multiple extensions that appeared to be AI tools delivering RATs and MitM campaigns, which we disclosed via timely threat intelligence (TTI) posts. These include: AI-powered summary extensions exfiltrating sensitive data to low-reputation domains (August 2025) Adware campaigns using hidden iframes ( August 2025 ) Cursor customization extensions delivering potentially unwanted programs (PUPs) ( August 2025 ) Prompt and search hijackers redirecting queries to attacker-controlled domains ( September 2025 ) Most recently, a Model Context Protocol (MCP)-themed RAT targeting AI developers ( February 2026 ) Browser Extensions Expand the Client-Side Attack Surface ​Browser extensions operate within the browser's trusted process with user-granted permissions. They can read and modify web content, intercept network requests, access cookies and communicate with external servers. These capabilities are shared with legitimate tools like ad blockers, password managers and developer tools. Deceptive extensions exploit this privileged position. An extension can override network request APIs before calls leave the page. It can passively monitor DOM changes in targets like Gmail or Notion. It can configure browser proxy settings to route traffic through attacker infrastructure. It can attach the Chrome Debugger Protocol to read decrypted HTTPS response bodies. GenAI amplifies the risk. When users type prompts into AI services, they routinely share proprietary code, draft communications and strategic plans. An extension positioned between the user and an AI service intercepts sensitive data. This data is far more valuable than the browsing metadata targeted by typical browser malware. Our retrospective analysis of detected high-risk extensions revealed the recurring techniques listed in Table 1. Technique Description Technical Characteristics Requires Extension Privilege WebSocket-based C2 channels Persistent bidirectional communication for command dispatch and session management Maintains an open connection that automatically reconnects on network interruption. Persists across browser restarts. Uses standard WebSocket protocol over HTTPS. No. Typical malware can establish WebSocket C2 channels. The extension advantage is appearing as legitimate browser traffic and persistence across browser restarts without process injection. Browser API hooking Intercepting JavaScript API calls before network transmission Replaces browser's native window.fetch or XMLHttpRequest functions. Operates in a JavaScript context before data is encrypted for transmission. No interception-layer traffic required. Yes. Content scripts inject code into the page context with API modification privileges. Typical malware would typically require browser process injection. DOM -based exfiltration Extracting page content through observation rather than network interception Reads content from the rendered page DOM. The extension generates no network requests for data collection. Operates entirely within the browser process. Yes. Content scripts have direct read access to the page DOM. Typical malware would require accessibility APIs, screen scraping or browser process memory access. Dynamic proxy configuration Remote proxy auto-configuration (PAC) script updates for selective traffic routing Downloads and applies proxy configuration from a remote server. Can be updated without extension store approval. Applies routing rules per-domain or per-URL pattern. Partially. Typical malware can modify system proxy settings but lacks the chrome.proxy API for programmatic, extension-scoped, dynamic updates without OS-level permissions. Cross-storage persistence with active restoration Redundant identifier storage across multiple APIs with automated recreation on deletion Stores identifiers in chrome.storage.sync , cookies and localStorage . Monitors storage-change events. Recreates deleted identifiers from remaining copies. Syncs across devices via Chrome profile. Yes. Requires chrome.storage.sync API for cross-device persistence and chrome.cookies.onChanged API for real-time monitoring. Typical malware cannot access these browser-internal storage mechanisms. Misuse of one-time extension events Install-time payload execution via chrome.runtime.onInstalled The code executes once when the extension installs or updates. The event fires before the user interacts with the extension. Does not repeat on subsequent browser sessions. Yes. The chrome.runtime.onInstalled event is extension-specific. No equivalent in typical malware. Table 1. Recurring techniques seen in GenAI high-risk extensions. As GenAI becomes the primary interface for professional and creative workflows, these extensions can potentially gain direct access to sensitive user information. If operated within the same execution context as the AI interface, these extensions pose a significant risk to enterprises. We placed detections from campaigns targeting AI users into six distinct malware categories based on their primary operational objective, as shown below in Figure 1. We derived these categories from manual analysis of extension code and network behavior. Figure 1. Six distinct malware categories observed across the analyzed GenAI browser extensions. The following sections present case studies of these six high-risk GenAI browser extensions. A RAT: MCP Server AI Automation Extension A RAT is malware that grants an attacker complete remote control over a victim's system through a persistent command and control (C2) channel. This case study is for an extension named Chrome MCP Server - AI Browser Control that acts at a RAT. Extension ID: fpeabamapgecnidibdmjoepaiehokgda SHA256 hash: 0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5 RATs generally require victims to download and execute suspicious files, actions that security software typically detects as clear indicators of compromise. This GenAI-era adaptation disguises the RAT as an “AI browser automation tool” using the MCP framework, as shown in its Chrome Web Store listing in Figure 2. The listing deceptively states, “100% local processing - your data never leaves your browser” and “No external servers required for core functionality.” Figure 2. Deceptive malicious extension Chrome MCP Server listing on the Chrome Web Store. Attackers lead victims to believe that extreme permissions are necessary (debugger, <all_urls>, webRequest , scripting) for AI to control the browser. The extension hardcodes a WebSocket connection to a remote C2 server, as noted in the code snippet in Figure 3. Figure 3. Extension’s background source code showing C2 server configuration. From this server, it accepts over 30 remote commands, including: Executing arbitrary JavaScript via new Function() Chrome Debugger Protocol attachment for HTTPS traffic interception Filling out forms Capturing screenshots Accessing browsing history When a victim clicks Connect in the pop-up, the extension establishes a persistent WebSocket connection to a remote server, as noted from the source code snippets in Figure 4. This generates the connection to wss[:]//mcp-browser.qubecare[.]ai/chrome . Once connected, the extension reestablishes the C2 channel across network disconnections or browser restarts and the service worker restarts indefinitely. Figure 4. Chrome MCP Server extension source code and active WebSocket connection to the C2 server. The extension uses a new Function() pattern to execute JavaScript code received from the remote server over the WebSocket. It then executes the code as JavaScript in the context of the victi