SearchJack Campaign Uses 23 Chrome Extensions to Hijack Searches From About 758,000 Users

A campaign called SearchJack used 23 deceptive Chrome extensions to route users’ web searches through monetization systems before sending them to search results. The extensions collectively reached about 758,000 users, according to MalExt Sentry.

The extensions appeared to offer normal features such as maps, satellite imagery, video search, new tab tools, and productivity shortcuts. In the background, they changed the default search engine and sent queries through operator-controlled domains tied to affiliate search revenue.

The issue is not a Chrome vulnerability. The campaign abused a legitimate extension feature that lets developers override browser settings. Google’s Chrome settings override documentation says extensions can override selected Chrome settings, including search provider settings on supported platforms.

How SearchJack Hijacks Chrome Searches

SearchJack relies on the chrome_settings_overrides key inside a Chrome extension manifest. That setting can define a new search provider and make it the default search engine when the extension is installed.

In legitimate cases, this feature can support search-related extensions. In SearchJack, researchers said many extensions used it to quietly force search traffic through redirect domains. Users still saw a search results page, but their query first passed through a monetization chain.

The SearchJack report says the campaign involved 22 unique publishers, 23 extensions, and at least eight monetization brokers. The final Yahoo redirect URLs exposed broker tracking through the hspart parameter.

Campaign detail	Current finding
Campaign name	SearchJack
Extensions identified	23 Chrome extensions
Estimated affected users	About 758,000
Unique publishers	22
Monetization brokers	At least 8
Main technique	Default search engine override through extension manifests

Why the Extensions Looked Harmless

Many of the extensions used what researchers described as a shell pattern. They contained little more than a manifest file that set the new default search engine, with few visible signals that would alarm a regular user.

Others included light functionality to make the listing appear useful. Examples included map viewers, menu tools, video search, and search toggling interfaces. Those features helped explain why someone might install the extension, even if the real business model came from search routing.

Google’s Chrome Web Store policies say extensions should clearly disclose their functionality and avoid deceiving or misleading users. SearchJack is notable because some listings and privacy language appeared to point in different directions.

Nautilus Search and Search Toggler Stood Out

Nautilus Search was one of the most notable examples. MalExt Sentry said the store description claimed the extension did not track searches or collect personal information, while the linked privacy policy disclosed collection of IP addresses, search queries, and technical identifiers.

Search Toggler also drew attention because it appeared to let users choose between search engines. Researchers said all queries still passed through searchtoggler[.]com, and routing logic was injected at runtime rather than fully visible in the static extension package.

Google’s settings override reference helps explain why this kind of campaign can operate with little visible behavior. A simple manifest change can shift search traffic without needing broad permissions, a background script, or obvious browser warnings.

• Some extensions only changed search behavior.
• Some added basic visible features to look useful.
• Searches were routed through operator domains before results appeared.
• Broker tracking appeared in Yahoo affiliate parameters.
• Users may not notice the change if the final search page looks normal.

Why SearchJack Is More Than Annoying Adware

Search hijacking creates privacy and security risk because search queries can reveal personal interests, work projects, medical concerns, financial plans, and company research. Even when the end result looks like a normal search page, the extra routing layer exposes user intent to third parties.

The larger concern is control. If an operator controls the redirect path, it can potentially change where users are sent without pushing a new extension update. That creates a path from search monetization to phishing, scam pages, or malicious downloads if the infrastructure changes hands or becomes more aggressive.

The Chrome Web Store policy page says extensions that alter a user’s web search experience and do not respect existing search settings are a policy concern. That makes enforcement important at both the extension and broker level.

Examples of Extensions Named in the Report

The full campaign includes a long list of extension IDs and redirect domains. The table below highlights several examples from the report, including high-install extensions and notable cases.

Extension	Reported installs	Redirect domain	Broker signal
PerfecTab Search	100,000	myperfecttab[.]com	hspart=flowsurf
Quick Search Tool	100,000	query.quicksearchtool[.]com	hspart=adk
Better Search	100,000	search.getbettersearch-api[.]com	hspart=trp
NewTab. Search	70,000	newtab[.]club	Not listed
Nautilus Search	50,000	nautilus-notes[.]com	Not listed
Earth	50,000	earthapp[.]net	hspart=infospace
Template Search	50,000	services.templatesearch-svc[.]org	hspart=trp
Fusebase Search	490	s.fusebase-search[.]com	hspart=dcola

Broker Networks Make Removal Harder

MalExt Sentry argues that removing individual extensions may not be enough because the underlying money flow sits with broker and affiliate accounts. Extensions can disappear and return under new names, but the monetization relationship can remain useful to the same operators.

The report identified broker signals such as trp, infospace, flowsurf, adk, becovi, imageadvan, mnet, fc, and dcola. Some had public attribution, while others had no clear identity.

This makes SearchJack a supply-chain and enforcement problem, not just a user cleanup issue. Browser stores can remove extensions, but affiliate networks and search partners also need to verify who sends traffic and how that traffic is obtained.

What Chrome Users Should Do

Chrome users should check installed extensions and remove anything unfamiliar, especially search tools, map extensions, new tab helpers, or browser utilities they do not actively use. Google’s Chrome Web Store Help explains that users can remove an extension by opening Chrome, going to Extensions, choosing Manage extensions, and selecting Remove.

Users should also review the default search engine after removing suspicious extensions. If the setting keeps changing, more than one extension may be involved, or Chrome may need a settings reset.

Google’s Chrome reset settings guide says resetting Chrome restores settings to their original defaults and disables extensions. It does not delete bookmarks, history, or saved passwords, but users should still review browser settings afterward.

1. Open Chrome and go to chrome://extensions.
2. Remove unfamiliar search, map, video, coupon, menu, or new tab extensions.
3. Open chrome://settings/searchEngines and confirm the default search engine.
4. Review site permissions for remaining extensions.
5. Reset Chrome settings if the browser keeps changing search behavior.

What Enterprises Should Monitor

For companies, the risk goes beyond consumer privacy. Corporate search queries can reveal internal projects, customer names, security tools, vendors, incidents, and legal research. That makes browser extensions part of endpoint and data protection strategy.

Admins should inventory installed extensions, block risky extension categories, and allow only approved publishers or specific extension IDs. They should also monitor DNS and proxy logs for SearchJack redirect domains, especially on managed devices.

Google’s extension management guidance is useful for individual removal, but enterprises should pair cleanup with policy controls. Search hijackers can return quickly if users can freely install similar extensions again.

Indicator type	Indicator	Description
Domain	myperfecttab[.]com	PerfecTab Search redirect domain
Domain	query.quicksearchtool[.]com	Quick Search Tool redirect domain
Domain	nautilus-notes[.]com	Nautilus Search redirect domain
Domain	earthapp[.]net	Earth redirect domain
Domain	searchtoggler[.]com	Search Toggler operator domain
Domain	bestfreemaps[.]com	Get Maps and Satelliten Earth redirect domain
Domain	oasrchrdr[.]com	Surfer Search redirect domain
Extension ID	hohedjmdoemgcpgdapepfhnilbedldnm	PerfecTab Search
Extension ID	flcaigefphghbcgbmfngbfdgipdflfpn	Nautilus Search
Extension ID	hodgcolihbmeagfcfpdfpnapfflmpbkb	Search Toggler

SearchJack Shows How Small Extensions Can Create Large Privacy Risk

SearchJack shows how a low-permission browser extension can still affect privacy at scale. An extension does not need to steal cookies or passwords to create risk. Redirecting search queries can expose sensitive behavior and give operators control over a user’s browsing path.

Users who already removed suspicious extensions should still confirm their default search settings. Google’s reset settings page can help when Chrome continues to behave unexpectedly after extension removal.

The main lesson is simple for both users and organizations: treat search-changing extensions with caution. A tool that changes search behavior should clearly explain what it changes, who receives the queries, and how the operator makes money from the traffic.

FAQ