惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Stack Overflow Blog
Stack Overflow Blog
Simon Willison's Weblog
Simon Willison's Weblog
B
Blog
V
Visual Studio Blog
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
S
SegmentFault 最新的问题
博客园 - 司徒正美
博客园 - 【当耐特】
T
Tenable Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
宝玉的分享
宝玉的分享
N
Netflix TechBlog - Medium
S
Secure Thoughts
Hugging Face - Blog
Hugging Face - Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
IT之家
IT之家
Google DeepMind News
Google DeepMind News
Last Week in AI
Last Week in AI
大猫的无限游戏
大猫的无限游戏
PCI Perspectives
PCI Perspectives
H
Hackread – Cybersecurity News, Data Breaches, AI and More
阮一峰的网络日志
阮一峰的网络日志
P
Privacy International News Feed
N
News and Events Feed by Topic
H
Hacker News: Front Page
MongoDB | Blog
MongoDB | Blog
Google DeepMind News
Google DeepMind News
F
Full Disclosure
Google Online Security Blog
Google Online Security Blog
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Heimdal Security Blog
Project Zero
Project Zero
C
CERT Recently Published Vulnerability Notes
MyScale Blog
MyScale Blog
AI
AI
月光博客
月光博客
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
WordPress大学
WordPress大学
L
Lohrmann on Cybersecurity
TaoSecurity Blog
TaoSecurity Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
C
CXSECURITY Database RSS Feed - CXSecurity.com
Spread Privacy
Spread Privacy
Apple Machine Learning Research
Apple Machine Learning Research
GbyAI
GbyAI
SecWiki News
SecWiki News
C
Cisco Blogs
The Last Watchdog
The Last Watchdog

Hackread – Cybersecurity News, Data Breaches, AI and More

Operation Endgame Disrupts StealC, Amadey and SocGholish Malware Networks New GhostShell Hacking Group Targets Ukraine’s Drone Defense Sector Fake npm Packages Impersonate PostCSS Tool to Steal Chrome Passwords Best Crypto Payment Solutions for E-Commerce Businesses Internet Society Foundation Opens Global Call for Common Good Cyber Fund to Strengthen Cybersecurity LastPass Confirms Customer Data Breach After Klue OAuth Token Theft ‘Cordyceps’ CI/CD Flaw Exposes Microsoft, Google, Apache Repos to Pipeline Hijacking The Rise of AI-Powered Academic Fraud: Beyond Traditional Plagiarism New CryptoBandits Malware Uses USB Drives and Tor to Steal Crypto The Evolution of iGaming Fraud: What Security Teams Should Expect in 2027 2 Scattered Spider-Linked Hackers Plead Guilty Over £39M TfL Cyberattack Beats Studio Buds Flaw Could Let Nearby Attackers Eavesdrop on Users Texas Parks and Wildlife Data Breach Affects Over 3M License Customers Threat Hunting Beyond Alerts: Finding the Activity Detection Misses Scammers Use Fake GitHub Stars, VirusTotal Reviews to Spread Crypto Clipper Salesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data MDR Provider Comparison: Time to Discover and Respond to Threats Meteor 3.0 Migration Helped Rocket.Chat Move Off End-of-Life Node.js Runtime Gcore Helps Ucom Safeguard Public Live Broadcast Infrastructure During Armenia’s Parliamentary Elections Nintendo America Employee Data Exposed After Shadowbyt3$ Targets TinyPulse eFAQ Publishes Investigation Into Alleged Scam Activity and Coordinated Reputation Attacks FIFA World Cup 2026: Hackers Target Football Fans With Fake Tickets Sites MacBook Neo vs Windows Laptops for Cybersecurity Tasks Operation Endgame Disrupts SocGholish Malware Infrastructure What Businesses Should Know Before Migrating Their CMS DragonForce Ransomware Abused Microsoft Teams to Hide Malware Activity Agentjacking: Researchers Show How One Fake Bug Report Can Hijack AI Coding Agents FortiBleed Attack Exposes Fortinet Firewall Credentials in 194 Countries SpyCloud Report Finds Phishing Attacks Surge as Employee Data Is Exposed at 86% of Fortune 100 Companies Heimdal Survey: Executives Four Times More Confident About AI Risk Than the Teams Managing It ESET MDR vs Sophos MDR: Compared Time to discover and respond to a threat 15 Malicious JetBrains Plugins Caught Stealing DeepSeek, OpenAI API Keys Amos Stealer Targets macOS Keychain Files and Browser Passwords Aembit Extends IAM for Agentic AI to Microsoft Copilot Studio AppViewX Launches Agent Identity Security to Govern Agents for the AI and Quantum Era New Rokarolla Android Trojan Found Targeting 217 Crypto and Banking Apps Developer laptops are the credential store attackers are picking through in 2026, GitGuardian announces Endpoint Protection Best of Android Fax Apps: Top 5 Secure Picks for 2026 Feds Seize CFAKE and SOCFAKE Over Explicit Deepfakes of Famous Women Handala Hacking Group Claims Breach of California Water Service Over 50 Android Apps Found Spreading MagicAd Trojan via Official Stores Hackers Hide New Argamal Malware Inside Working Hentai Games Extradited Ukrainian Man Admits Role in Conti Ransomware Attacks Atomic Arch Campaign Hijacks 20+ Linux AUR Packages to Deliver Malware ShinyHunters Target Universities in Oracle PeopleSoft Zero-Day Attack The SpaceX Pre-IPO Market: How Crypto Rails Are Opening Synthetic Access Feds Seize AudiA6 and Dark2Web in $389M Crypto Laundering Case ShinyHunters Leak 40GB of University of Nottingham Student Data Authorities Dismantle Decade-Old SniperDZ Phishing Network Criminal IP at Infosecurity Europe 2026: Introducing AITEM, the Next Chapter of Attack Surface Management Hackers Use Fake Claude Code Guide and AI PDFs to Spread AsyncRAT Malware The Hidden Security Risks of Poor Software Testing FBI Seizes China-Linked Fake Consulting Sites Targeting US Clearance Holders How to Turn Images into Animated Videos with AI: A Wondershare Filmora Guide Scammers Use TikTok and Instagram Reels to Spread Vidar Infostealer ServiceNow Discloses Security Incident Exposing Customer Data Cloud Security Report Finds Fragmented Tools Widening the Cloud Complexity Gap Microsoft June 2026 Patch Tuesday Fixes 206 Flaws and 3 Zero-Days Network Log Analysis: Why Collecting Logs is Not Enough E-Signature Security Checklist Before Selecting an E-Signature Tool Maine Govt Portal Lists 10M Discord Data Breach Notice, But Filing Shows Red Flags Handala Claims Israeli Radar Hack, But Evidence Shows Phone Admin Panel WhatsApp Says It Blocked Pegasus Spyware Campaign Linked to NSO Operation FlutterBridge Uses Fake Google Ads to Spread macOS Backdoor Hackers Clone Ghidra, dnSpy and Other Tool Sites to Spread Malware Silent Ransom Group Uses Fast Flux Botnet to Hide Law Firm Leak Sites New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams Miasma Malware Hits 32 Red Hat Packages via Compromised GitHub Account Atlas Menu Data Breach Exposes 64,000 GTA V and CS2 Cheat Service Users Reaper macOS Infostealer Abuses Script Editor to Steal Crypto and Passwords iFood Confirms Data Breach Affecting 1.2 Million Users in Brazil Why eSIMs Are Replacing Traditional SIM Cards Lazarus Group Uses npm Brandjacking Campaign to Target Developers Five Eyes Warns Chinese Spies Are Using Fake Job Ads to Target Military Staff How to Recover Data from iCloud Backup Without Resetting Your iPhone China-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware Alcasec, "Robin Hood of Spanish Hackers," Jailed for 31 Months Over Data Theft Fake ChatGPT Desktop App Ads Used to Push Password-Stealing Malware Hackers Abused Meta’s AI Support Bot to Hijack Major Instagram Accounts New WordPress Malware Uses Steam Profile Comments to Hide C2 Instructions Halo Security Honored with 2026 MSP Today Product of the Year Award Why Encrypted File Sharing Is Essential for Modern Businesses What One Predator Case Can Reveal About an Online Platform’s Safety Gaps RaccoonLine Publishes 2026 dVPN Buyer’s Guide for Privacy-Focused Users How to Get a Reddit API Key in 2026: Step-by-Step Guide Zero-Click pretalx XSS Flaw Lets Hackers Hijack Conference Organizer Accounts How to Get the Most From Your Explainer Video Production Services Fake Purchase Order Emails Spread Fileless PureLogs Malware via RAR Archives 27,000-Download Codex UI Tool Secretly Stole OpenAI Refresh Tokens Fake Anthropic Sites Deliver Fileless Infostealer to Claude Code Users The Deliverability Problem: How New Platforms Are Solving Inbox Placement The CISO Whisperer's Watch List For The Gartner Security & Risk Management Summit 2026 Can Big Data Predict Market Movements Accurately? Iran’s Nimbus Manticore Used Trojanized Zoom Installers Against US Firms How Can MSSPs Scale Threat Detection Without Burning Out Their Analysts? Link11 is fully committed to Europe and is opening a Customer Excellence Hub in Lisbon Trojanized Gemini and Claude Installers Target Developers Via SEO Poisoning Claude Mythos AI Identified 10,000+ Software Vulnerabilities in One Month FBI Chief Kash Patel’s Clothing Store Hacked in ClickFix Infostealer Attack Netherlands Busts Bulletproof Hosting Network Linked to Disinfo and Cybercrime
152 Chrome Live Wallpaper Extensions Hid Ad Tracking and Fake Search Clicks
Waqas · 2026-06-17 · via Hackread – Cybersecurity News, Data Breaches, AI and More

A group of Chrome extensions offering live wallpapers has been linked to a large ad monetization and traffic attribution scheme, according to new research from Socket’s Threat Research Team.

The extensions were marketed as harmless new tab customization tools featuring anime, football, cars, games, and other popular themes. Behind the familiar Chrome Web Store listings, researchers found a shared codebase used by 152 extensions connected to 38 publisher accounts and three main brand domains.

Socket said 141 of the extensions were still live and retrievable from the Chrome Web Store during its analysis, while 11 had already been delisted. Together, the network had about 105,000 reported installs.

How the Chrome Extension Network Works

The extensions did not steal passwords or inject ads into pages visited by users, according to the research. Their main purpose is to drive users to ad monetized websites, track install and uninstall events, and make extension generated traffic appear as if it came from real Google organic search clicks.

Many of the extensions used names and visuals based on well known topics, including Neymar, Satoru Gojo, Anime Car Drift, Gachiakuta, Hello Kitty, Minecraft, BMW, Naruto, and other entertainment brands. The listings presented them as simple live wallpaper or new tab extensions.

Socket found that the operation was split between three brand backends: tabplugins.com, yowgames.com, and chromewallpaper.com. The chromewallpaper domain redirected users to owhit.com, another domain linked to the same monetization setup.

Fake Google Search Traffic and Ad Revenue

The most active part of the campaign was connected to tabplugins.com. A subset of 54 extensions using the newer tabplugins template added fake Google organic search attribution to install traffic. When a user installed one of these extensions, the background script opened a tab to the operator’s site with tracking parameters claiming the visit came from Google organic search.

For context, organic search traffic is valuable to publishers, advertisers, and analytics systems. A site receiving visits from Google search may look more trusted and more popular than one sending traffic to itself. In this case, Socket found that the traffic was created by the extension, not by a person searching Google and clicking a result.

The uninstall process used another trick. The extensions set an uninstall URL that wrapped the operator’s site inside a google.com/url redirect format, including Google style tracking parameters. This made an uninstall related visit appear closer to a real Google search result click.

In its blog post, Socket described the behavior as deceptive traffic measurement and adware adjacent activity, not a classic malware infection. The extensions worked as wallpaper tools, but they also pushed users into an advertising funnel and misrepresented how traffic reached the operator’s sites.

Chrome Live Wallpaper Extensions Hid Ad Tracking and Fake Search Clicks

Privacy Claims Did Not Match the Extension Behavior

The operation also carried a privacy issue. Chrome Web Store listings for the extensions stated that the developer would not collect or use user data. However, the linked privacy policy said something else.

According to Socket, the policy admitted logging IP addresses, browser type, internet service provider, date and time stamps, referrers, click counts, and other data, with sharing involving Google AdSense, DoubleClick, Google Analytics, and third party ad partners.

It is worth noting that Google’s Chrome Web Store rules require privacy disclosures to match an extension’s actual behavior and its published privacy policy. Socket said the same “no data collected” disclosure appeared on all 141 live listings it resolved.

The extensions also included an IndexedDB deletion routine inside the background script. On each service worker start, the code attempted to list and delete databases visible to the extension’s own origin. Socket found that the routine did not delete website data, cookies, sessions, or browsing data because Manifest V3 extension storage is separated by origin.

Still, researchers considered it a notable fingerprint of the family because the same routine appeared in every analyzed extension. In the current build, it appeared inactive in practical terms because the extensions stored their own settings in localStorage, not IndexedDB.

Socket also found signs of rushed mass production. Three tabplugins-based extensions shipped a broken background script because of a syntax error in the install URL. Those extensions are still installed and changed the new tab page, but their background tracking logic failed to run.

The monetization setup was based on sending users to ad-funded sites. The tabplugins domain loaded a programmatic ad stack involving Google Ad Manager, Prebid, AppNexus or Xandr, PixFuture, SmileWanted, Google Analytics 4, and other ad-related services. Socket also found Google AdSense and Google Analytics use on the yowgames and owhit domains through archived pages.

The researchers did not attribute the operation to a confirmed country or real world person. They noted some public contact details and names that could suggest a Turkish connection, but said those clues were not enough for firm attribution.

Chrome Live Wallpaper Extensions Hid Ad Tracking and Fake Search Clicks
Malicious extensions and contradictory privacy policies (Credit: Socket)

What Chrome Users Should Do

Nevertheless, remove live wallpaper or new tab extensions connected to tabplugins.com, yowgames.com, chromewallpaper.com, or owhit.com. After removal, users should check that Chrome’s new tab page and default search engine are set to their preferred choices.

Chrome users should also treat new tab extensions with caution, especially when they request search related permissions or route users to outside web pages. A wallpaper extension should not need to play games with Google search attribution or send install and uninstall traffic to ad funded sites.

Socket published indicators of compromise covering publisher accounts, email addresses, domains, advertising IDs, analytics properties, and Chrome extension IDs connected to the operation.

(Photo by Justin Min on Unsplash)