2026-06-13 tracking Prompt Hijacking

PromptSnatcher: AdBlocker stealing Ai Chats

Indicators of Compromise

Primary SDK Fingerprints

Field	Value
Partner ID	`231` (Internal `partnerId`)
Distributor ID	`231` (Internal `distributorId`)
Panel ID	`4` (Internal `panelId`)
Messaging Protocol	`LDP_MESSAGE`
Shared Platform IDs	`q7m2xa`, `v4n8bk`, `h9p3td`, `r6c1lz`, `k2f8yu`, `z3x7pn`, `b8j4rs`, `m5w9qe`
C2 Endpoint Pattern	`https://c.[domain].com/configuration`, `https://c.[domain].com/captures`

Affected Extensions

Field	Extension A	Extension B
Extension Name	Smart Adblocker	Adblock for Browser
Extension ID	`iojpcjjdfhlcbgjnpngcmaojmlokmeii`	`jcbjcocinigpbgfpnhlpagidbmlngnnn`
Version Analyzed	3.4.4	2.0.0
C2 Domain	`smartadblocker.com`	`abforbrowser.com`
Install Count	~80,000 users	~10,000 users

Executive Summary

PromptSnatcher (internal identifier: Panel 231) is a data collection operation comprising two browser extensions that share identical infrastructure and an undisclosed conversation capture engine. While presented as ad blockers, the extensions ship a custom-built interception engine that records non-public conversations, model usage, and account-tier metadata from every major AI platform (ChatGPT, Claude, Gemini, and others). The operation uses legitimate public filter lists (EasyList, IDCAC) as functional cover, providing genuine ad-blocking utility while running an undisclosed telemetry channel.

Methodology & Discovery

The investigation was initially flagged by the MalExt Sentry automated scanner due to a recurrence of the Google Tag Manager ID GTM-TCT2RJ across multiple extensions' filter rules. Subsequent analysis confirmed this tag is a non-attributive artifact — specifically Rule 1130 in the _I Don't Care About Cookies_ public blocklist, targeting fullrate.dk. Its presence was coincidental but provided the initial forensic pivot for manual review.

The true connection between these extensions is the "Panel 231" SDK: identical obfuscated exfiltration logic, matching C2 infrastructure patterns, and a shared LDP_MESSAGE internal communication protocol across extensions published under different names and domains.

Architecture: Original Bespoke Engine

Forensic analysis shows these extensions are twins of one another, sharing no significant code with the legitimate privacy extension ecosystem. The operator has built an original, professional-grade background manager handling:

Onboarding Consent Flow: An onboarding flow that frames data collection under generic "Enhanced Protection" language, without specifying that AI conversations are captured.
Dynamic Payload Management: Platform-specific parsing logic is downloaded from the C2 /configuration endpoint at runtime, allowing the operator to add new targets or update parsing rules without a store update.
Data Ingestion Facade: Ad-blocking and cookie-banner suppression are implemented by ingesting raw public filter data (e.g., idcac.json), providing genuine functionality while keeping the telemetry engine lean and distinct.

Undisclosed Behavior: AI Chat Interception

The extensions inject a capture engine targeting eight AI platforms. Beyond conversation text, the SDK performs active subscription-tier fingerprinting on five of the eight platforms.

Target Union Table (Config v1.0.1)

Target ID	Platform	Transport	Depth of Exfiltration	Variants
`q7m2xa`	ChatGPT	`fetch`	Full conversation text; scrapes `is_paid` from `window.__STATSIG__`	A, B
`v4n8bk`	Gemini	`XHR`	Full conversation text; custom parser for `wrb-frames` protocol	A, B
`k2f8yu`	Claude	`fetch`	Full conversation text; probes `/api/organizations` for `capabilities`	A, B
`z3x7pn`	Copilot	`WebSocket`	Full conversation text; intercepts SignalR `\u001E` frames; probes Pro tier	A, B
`h9p3td`	Perplexity	`fetch`	Full conversation text; scrapes `subscription_status`	A, B
`r6c1lz`	DeepSeek	`XHR`	Full conversation text via backend conversation API	A, B
`b8j4rs`	Grok	`fetch`	Full conversation text; targets Grok-3 and citation rendering	A, B
`m5w9qe`	Meta AI	`XHR / GraphQL`	Full conversation text via `message.sensitive_string_value`; intercepts GraphQL variables	Remote config only

Meta AI (m5w9qe) is absent from the static extension manifests but present and enabled in the live remote configuration, demonstrating the operator's ability to activate new platform targets without an extension update.

Exfiltration Logic

API Hooking: shared-page-capture.js is injected into the page's MAIN world and patches the global fetch, XMLHttpRequest, and WebSocket constructors to clone traffic in real time.
Buffered Transmission: Captured text is buffered (10,000 chars for prompts, 30,000 for responses) and relayed to the background worker via the LDP_MESSAGE protocol, then POSTed to /captures with a persistent per-install UUID (panelistId), platform ID, conversation ID, model name, subscription tier, and ISO timestamp.
Disclosure Discrepancy: The Firefox variants of both extensions explicitly declare data_collection_permissions: none in their manifests, yet ship a functionally equivalent capture engine to the Chrome variants. This is a material contradiction between the extensions' declared and actual data collection.

Infrastructure

The campaign uses segmented C2 infrastructure, with each extension variant reporting to a distinct subdomain:

c.smartadblocker.com — configuration and capture API for Extension A
c.abforbrowser.com — configuration and capture API for Extension B

The /configuration endpoint serves a Base64-encoded, remotely-updatable parser ruleset. The /captures endpoint ingests the exfiltrated conversation payloads. The /configuration endpoint requires a chrome-extension:// Origin header matching the requesting extension's ID, gating the parser payload from generic web probes.

Reproducing the Configuration Fetch


curl 'https://c[.]smartadblocker.com/configuration?pv=1.0.0'


curl 'https://c[.]abforbrowser.com/configuration?pv=1.0.0' \
  -H 'Origin: chrome-extension://jcbjcocinigpbgfpnhlpagidbmlngnnn' \
  -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36' \
  -H 'Sec-Fetch-Site: cross-site' \
  --compressed

Summary

PromptSnatcher (Panel 231) is a data collection operation running across two browser extensions installed by approximately 90,000 users. The extensions intercept full AI conversation history, model usage, and subscription tier from eight platforms, and transmit this data to operator-controlled infrastructure without notification to the user beyond a generic "Enhanced Protection" consent string. The publicly disclosed permissions (notably the Firefox data_collection_permissions: none declaration) do not match the observed runtime behavior.

Appendix: Remote Configuration Payload

Retrieved: June 13, 2026 | Config Version: 1.0.1 | LDP Version: 1.0.0

_(Structure simplified for readability — see full configuration in supplementary material.)_

JSON excerpt confirming paid-tier fingerprinting logic:


{
  "400": {
    "q7m2xa": {
      "ORIGINAL_NAME": "chatgpt.com",
      "PARSERS": [
        {
          "NAME": "subscription",
          "SOURCE": "window",
          "PATH": ["__STATSIG__", "firstInstance", "_user", "custom", "is_paid"]
        }
      ]
    },
    "z3x7pn": {
      "ORIGINAL_NAME": "copilot.microsoft.com",
      "CAPTURE_ENGINE": {
        "request": { "mode": "subscription-probe" },
        "response": {
          "extendedPath": ["subscriptions"],
          "tierPath": ["tier"],
          "tierValues": ["pro"]
        }
      }
    }
  },
  "loadManagement": {
    "q7m2xa": true,
    "v4n8bk": true,
    "h9p3td": true,
    "r6c1lz": true,
    "k2f8yu": true,
    "m5w9qe": true,
    "z3x7pn": true,
    "b8j4rs": true
  },
  "configInfo": {
    "version": "1.0.1",
    "ldpVersion": "1.0.0"
  }
}

_Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | June 13, 2026_