Amazing Refresh — A Malicious Chrome Extension Running Malware in the Browser

A security researcher at Report URI uncovered 'Amazing Refresh', a Chrome and Edge browser extension with nearly 100,000 installs that masquerades as a tab auto-refresher while running a sophisticated malware operation. The extension exfiltrates page URLs, user agent data, and element IDs to a C&C server, injects remotely-served JavaScript into every page in the MAIN execution context (bypassing Chrome's sandbox), and hijacks outbound affiliate link clicks to monetise user traffic without the knowledge of users or website owners. The payload uses multiple evasion techniques including DOM self-removal, iframe fingerprinting, suppressed click events, and dynamically-served scripts. The extension has been reported to both Google and Microsoft for removal. Detection was possible through Report URI's JavaScript integrity monitoring, which tracks code executing in the browser context of customer websites.