Cybersecurity researchers have uncovered a sophisticated campaign targeting Chrome browser users through fraudulent AI assistant extensions. Security specialists at LayerX have documented a new threat operation called AiFrame, which involves approximately 30 counterfeit Chrome add-ons masquerading as legitimate artificial intelligence tools. These malicious extensions have collectively accumulated over 300,000 installations while impersonating popular AI services such as Claude, ChatGPT, Gemini, Grok, and specialized Gmail AI tools.
Deceptive Extensions Mirror Legitimate AI Tools
The fraudulent Chrome extensions discovered in the AiFrame campaign present themselves as authentic AI-powered utilities designed for content summarization, conversational assistance, writing support, and email management. However, upon installation, these malicious add-ons provide cybercriminals with extensive remote control capabilities over victims’ browsers. The extensions possess concerning functionalities including voice recognition access, pixel-based tracking mechanisms, and the ability to read email content. Security analysts emphasize that these tools are engineered to systematically collect user data and monitor browsing activities.
Despite utilizing different names and visual branding strategies, all 30 identified extensions share identical internal architecture, operational logic, permission structures, and backend systems. Rather than executing functions directly on users’ devices, these malicious tools deploy full-screen iframe elements that load remote content to create their user interface. This design enables attackers to implement modifications covertly without requiring updates through the Chrome Web Store approval process.
Detection and Removal Guidelines
LayerX researchers have published comprehensive documentation containing the complete catalog of extension names and unique identifiers for reference purposes. The deceptive nature of these tools, which employ recognizable branding such as “Gemini AI Sidebar” and “ChatGPT Translate,” makes visual identification challenging for average users. Chrome users can verify their installed AI assistants by navigating to chrome://extensions, activating Developer mode through the top-right toggle, and examining the ID displayed beneath each extension name. Users who discover malicious add-ons should immediately remove them and update their account passwords.
Industry reports indicate that while some fraudulent extensions have been eliminated from the Chrome Web Store, others continue to operate. Several malicious add-ons have even received the platform’s “Featured” designation, enhancing their perceived credibility. Cybercriminals have demonstrated the ability to rapidly republish their tools under alternative names using established infrastructure, suggesting this campaign may continue evolving. Security experts recommend thorough vetting of all browser extensions, cautioning users against relying solely on familiar branding, and noting that even legitimate AI-powered add-ons from established sources can implement invasive data collection practices.
