A Chrome extension called QuickLens was hijacked after a change of ownership and a malicious update (v5.8) stripped site security headers, gained elevated permissions, and injected scripts from a command-and-control server to run on every page. Those scripts pushed ClickFix fake Google Update prompts, delivered executables and infostealers (including components named Katzilla and AMOS), and attempted to exfiltrate credentials and cryptocurrency wallet seed phrases from thousands of users. #QuickLens #ClickFix #AMOS #Katzilla #MetaMask
Keypoints
- QuickLens was sold on ExtensionHub and a malicious v5.8 update was pushed to roughly 7,000 users.
- The update requested new permissions and used a rules.json file to strip CSP, X-Frame-Options, and X-XSS-Protection headers from all pages.
- The extension generated a persistent UUID, fingerprinted victims, and polled a C2 at api.extensionanalyticspro[.]top for JavaScript payloads every five minutes.
- Injected scripts displayed fake Google Update alerts (ClickFix), dropped a signed βgoogleupdate.exe,β executed PowerShell stages, and delivered infostealer components like Katzilla/AMOS.
- The campaign targeted cryptocurrency wallets (e.g., MetaMask, Phantom) and other credentials; Google removed QuickLens and affected users should uninstall it, scan devices, reset passwords, and move crypto funds.