SearchJack: How 23 Browser Extensions Silently Monetize ~758,000 Users' Searches
Campaign Overview
| Field | Value |
|---|---|
| Campaign Name | SearchJack |
| Extensions Identified | 23 |
| Unique Publishers | 22 |
| Total Affected Users | ~758,000 |
| Brokers Identified | 8 |
| Primary Monetization | Hosted Search Affiliate (Yahoo, multi-network) |
| Date of Analysis | June 09, 2026 |
SearchJack is a campaign of 23 deceptive Chrome browser extensions that silently override users' default search engines and route queries through monetization middleware before delivering results. Each extension presents a different advertised purpose - satellite imagery, productivity tools, news readers, maps - while the actual business is search affiliate revenue. The campaign spans at least 8 distinct monetization brokers and ~758,000 affected users.
Data for this report was collected using the MalExt Sentry automated scanner. We continuously monitor browser extension stores and flag suspicious items based on specific keywords in their descriptions and metadata. For the SearchJack campaign, our scanner specifically identified extensions abusing the chrome_settings_overrides key in their manifest files to hijack user search settings.
Broker Infrastructure
The broker is identified by the hspart parameter in the final Yahoo redirect URL. The broker layer is the structural enabler of this campaign - individual extensions are disposable shells. The broker relationship, Yahoo partner account, and revenue infrastructure persist regardless of which extensions are active.
| hspart | Broker | Extensions | Est. Installs |
|---|---|---|---|
| trp | Unknown | 3 | ~160K |
| infospace | System1 (public) | 6 | ~117K |
| flowsurf | Unknown | 1 | 100K |
| adk | Unknown | 1 | 100K |
| - | Unknown | 6 | ~178K |
| becovi | Becovi Ltd, Dublin | 1 | 30K |
| imageadvan | Unknown | 1 | 10K |
| mnet | Unknown | 1 | 3K |
| fc | Unknown | 1 | 2K |
| dcola | Unknown | 1 | 490 |
Full Extension Corpus
| Extension ID | Name | Publisher | Installs | Rating | First Published | Last Updated |
|---|---|---|---|---|---|---|
| hohedjmdoemgcpgdapepfhnilbedldnm | PerfecTab Search | Kinner Lake Ltd. | 100K | 4.5 (4) | 2024-09-18 | 2024-09-18 |
| keadechokmcohlcampccppbjjeabghcd | Quick Search Tool | quicksearchtool[.]com | 100K | 5 (2) | 2021-09-29 | 2024-04-02 |
| epdmngmgidehpmhjamdjcaecpligmcfh | Better Search | Better Search | 100K | 4.3 (350) | 2024-11-07 | 2026-03-20 |
| pookachmhghnpgjhebhilcidgdphdlhi | NewTab. Search | Bonjour | 70K | 4.5 (83) | 2018-07-11 | 2024-12-18 |
| flcaigefphghbcgbmfngbfdgipdflfpn | Nautilus Search | nautilusnotesapp | 50K | - | 2025-01-31 | 2025-01-31 |
| hnfdneofpohlkoeljnmkdocokcdkjiaa | Earth | Earth | 50K | 1 (1) | 2025-03-29 | 2026-01-23 |
| bgliakflmjnofiolfmnbncdmgfnibgnj | Wanderlustar | Wanderlustar | 50K | 5 (1) | 2022-11-04 | 2024-10-28 |
| cnkcgoiimpncbonlilkekbigfhchcbgb | Template Search | Template Search | 50K | 2.3 (3) | 2023-03-28 | 2025-02-02 |
| kbobdmmjbaljcombpliahadgoafgohcd | Earth 3D | Earth 3D | 40K | 1 (2) | 2025-07-12 | 2025-07-12 |
| eeejfmalgedffijdepcdmgemfnadjefe | My Focal Find | reedd6868 | 40K | 1 (1) | 2021-07-16 | 2024-05-23 |
| mccmkaicbneobeclkbloeoopcfeipmio | Great Start | greatstartlab | 30K | - | 2024-09-18 | 2024-09-18 |
| jeookppofphgjnhjkifeejcmjbpiogka | Fresh Fruit Search | wallacenathan330 | 10K | 1 (1) | 2021-05-23 | 2024-05-28 |
| ijbmkpeacbkgpfkomjbionjgdhbmlpfp | View Menu with Prices | MenuswithPrices | 10K | - | 2026-01-29 | 2026-01-29 |
| hodgcolihbmeagfcfpdfpnapfflmpbkb | Search Toggler | - | 10K | - | 2025-05-21 | 2025-05-21 |
| cpmjnpalighpdecgankobogpcmbceaig | Easy Login | Easy Login | 10K | 2.5 (2) | 2025-07-08 | 2025-08-21 |
| akimdaijebpdfojiohhimbebkdigkccj | SearchThatWeb | searchthatweb.extension | 10K | 4.9 (31) | 2023-06-22 | 2024-05-30 |
| oikgbpcmdphfkhplgkfngjilemlolann | Freshy Search | Freshy | 10K | 3.5 (2) | 2022-01-28 | 2024-06-12 |
| efakcomgmimcekdejnoafmmbgnpdhdfm | Video Search Extension | Alice Carrol | 6K | 3.3 (3) | 2020-11-04 | 2025-10-09 |
| gmapdckphdmbafmmcfoahhgoogdjeell | Get Maps & Driving Directions | QwerPDF | 5K | 3.7 (3) | 2022-10-20 | 2025-04-23 |
| odafhekandnacimkenmaagnoemnpaakk | Search Anything | Search Anything | 3K | 3.7 (3) | 2023-05-09 | 2024-03-14 |
| jgoihmjphghpnjedflgemmhjdaogimad | Satelliten Earth | dy1[.]com | 2K | - | 2025-04-26 | 2025-05-15 |
| dllhnjhfilgcjopkgdekmdmfilpfceig | Surfer Search | surfersearchext | 2K | 4.6 (5) | 2025-04-10 | 2025-07-31 |
| ododhdcefemfdbnidbeipjpjaehadjen | Fusebase Search | Nimbus Web Inc | 490 | 4.2 (609) | 2013-12-21 | 2026-01-08 |
Search URLs & Broker Attribution
| Extension ID | Name | Search URL | hspart | hsimp |
|---|---|---|---|---|
| hohedjmdoemgcpgdapepfhnilbedldnm | PerfecTab Search | hxxps://myperfecttab[.]com/search/?q={searchTerms} | flowsurf | yhs-perfecttab2 |
| keadechokmcohlcampccppbjjeabghcd | Quick Search Tool | hxxps://query.quicksearchtool[.]com/s?query={searchTerms} | adk | yhs-adk_sbnt |
| epdmngmgidehpmhjamdjcaecpligmcfh | Better Search | hxxps://search.getbettersearch-api[.]com/search/{searchTerms} | trp | yhs-001 |
| pookachmhghnpgjhebhilcidgdphdlhi | NewTab. Search | hxxps://newtab[.]club/search?q={searchTerms} | - | - |
| flcaigefphghbcgbmfngbfdgipdflfpn | Nautilus Search | hxxps://nautilus-notes[.]com/search?q={searchTerms} | - | - |
| hnfdneofpohlkoeljnmkdocokcdkjiaa | Earth | hxxps://earthapp[.]net/admin/public/link?q={searchTerms} | infospace | yhs-earth |
| bgliakflmjnofiolfmnbncdmgfnibgnj | Wanderlustar | hxxps://wanderlustar[.]com/k?source=7023.139&kw={searchTerms} | - | - |
| cnkcgoiimpncbonlilkekbigfhchcbgb | Template Search | hxxps://services.templatesearch-svc[.]org/search/{searchTerms} | trp | yhs-001 |
| kbobdmmjbaljcombpliahadgoafgohcd | Earth 3D | hxxps://earth3d[.]net/admin/public/link?q={searchTerms} | infospace | yhs-earth |
| eeejfmalgedffijdepcdmgemfnadjefe | My Focal Find | hxxps://myfocalfind[.]com/search?q={searchTerms} | - | - |
| mccmkaicbneobeclkbloeoopcfeipmio | Great Start | hxxps://greatstartapp[.]com/serp.php?v=1.0.1&id=mccmkaicbneobeclkbloeoopcfeipmio&q={searchTerms} | becovi | yhs-greatstart |
| jeookppofphgjnhjkifeejcmjbpiogka | Fresh Fruit Search | hxxps://freshfruittab[.]com/search?q={searchTerms} | - | - |
| ijbmkpeacbkgpfkomjbionjgdhbmlpfp | View Menu with Prices | hxxps://viewmenuprices[.]com/auto-suggest/search.php?q={searchTerms} | infospace | yhs-mm_viewmenu |
| hodgcolihbmeagfcfpdfpnapfflmpbkb | Search Toggler | hxxps://searchtoggler[.]com/ext/search?src=default&q={searchTerms} | imageadvan | yhs-imageadvan_toggler |
| cpmjnpalighpdecgankobogpcmbceaig | Easy Login | hxxps://loginonlineapp[.]com/admin/public/link?q={searchTerms} | infospace | yhs-mm_easylogin |
| akimdaijebpdfojiohhimbebkdigkccj | SearchThatWeb | hxxps://seek.searchthatweb[.]com?PCSF=true&q={searchTerms} | - | - |
| oikgbpcmdphfkhplgkfngjilemlolann | Freshy Search | hxxps://search.freshysearch-api[.]net/search/{searchTerms} | trp | yhs-001 |
| efakcomgmimcekdejnoafmmbgnpdhdfm | Video Search Extension | hxxps://myvideolibrary[.]info/search.php?q={searchTerms} | - | - |
| gmapdckphdmbafmmcfoahhgoogdjeell | Get Maps & Driving Directions | hxxps://bestfreemaps[.]com/search-direction.php?q={searchTerms} | infospace | yhs-bestfreemaps |
| odafhekandnacimkenmaagnoemnpaakk | Search Anything | hxxps://searchanything[.]co/search.html?q={searchTerms}&acTypeId=1 | mnet | yhs-001 |
| jgoihmjphghpnjedflgemmhjdaogimad | Satelliten Earth | hxxps://bestfreemaps[.]com/search-earth-de.php?q={searchTerms} | infospace | yhs-bestfreemaps |
| dllhnjhfilgcjopkgdekmdmfilpfceig | Surfer Search | hxxps://oasrchrdr[.]com?dgd=RD1005461&PCSF=true&q={searchTerms} | fc | yhs-5956 |
| ododhdcefemfdbnidbeipjpjaehadjen | Fusebase Search | hxxps://s.fusebase-search[.]com/search?q={searchTerms} | dcola | yhs-200 |
Notable Extensions
Nautilus Search - Affirmative False Privacy Claims
The store description states: "We don't track your searches, collect your personal information, or store any user data." The governing privacy policy (Kinner Lake Ltd.) explicitly discloses collection of IP addresses, search queries, and technical identifiers. These two statements cannot both be true. This is not a disclosure omission - it is an affirmative false claim in the store listing, potentially actionable under GDPR and FTC frameworks.
Search Toggler - Runtime Obfuscation
Unlike other extensions in this corpus, Search Toggler implements a genuine search engine switching UI. However, all queries are routed through searchtoggler[.]com/ext/search regardless of which engine the user selects - the operator middleware is always present in the chain. The routing logic is injected at runtime via chrome.declarativeNetRequest.updateDynamicRules() in background.js and is not present in the static extension package. The static redirect-rules.json contains only a rule matching srcorg=orgdefaulttest → google[.]com, which would only trigger in a controlled test environment. The real behavior is invisible to static analysis. Additionally, three disconnected corporate identities are associated with this extension: searchtoggler[.]com (extension domain), VPP Technologies LLC (privacy policy entity), and worthathousandwords[.]com (contact email domain).
Fusebase Search - Anomalous Review Ratio
Published by Nimbus Web Inc (legitimate company, FuseBase / Nimbus Screenshot), this extension shows 609 reviews against 490 current installs - a ratio of 1.24 that is not achievable organically. This suggests review manipulation, a CWS-triggered install count reset, or extension repurposing following a policy violation. The combination of a legitimate publisher identity and search monetization behavior warrants direct outreach to Nimbus Web Inc to confirm whether this extension remains under their control.
Earth 3D - Anonymous Publisher, Fictional Corporate Identity
Published under edgarlife1980[@]gmail[.]com. The privacy policy names "Mutual Media DBA Innosoft Group, Houston TX" - an entity with no verifiable connection to the publisher account. System1/infospace profits from this traffic while publisher accountability is effectively zero.
Campaign Patterns
Shell pattern - The majority of extensions are manifest-only wrappers: chrome_settings_overrides with is_default: true, no permissions, no background script, no content scripts. Same skeleton across multiple extensions, different domain and icon.
Trojan horse pattern - A subset invests in a superficial advertised feature (satellite imagery, maps, video library) to justify installation. The feature may be partially implemented to pass store review but is not the business purpose.
Admin path pattern - System1-affiliated extensions consistently route through /admin/public/link endpoints: earth3d[.]net, earthapp[.]net, loginonlineapp[.]com. Shared backend infrastructure template across the infospace broker network.
Publisher anonymization - Brokers do not brand their extensions. The only place operator identity surfaces is the hspart parameter in the Yahoo redirect URL - invisible to ordinary users.
Summary
SearchJack is a structured campaign of 23 deceptive Chrome browser extensions silently routing approximately ~758,000 users' search queries through operator-controlled monetization middleware. The campaign spans at least 8 distinct affiliate brokers and 22 publishers across multiple jurisdictions. The common enabling infrastructure - Yahoo Hosted Search and equivalent affiliate programs - imposes insufficient publisher vetting, allowing anonymous operators to monetize user search behavior at scale. Individual extension removal is insufficient; enforcement action at the broker level is required to disrupt the underlying monetization infrastructure.
Threat Impact
Why does this matter? While this might look like simple adware, it is a real security risk. First, it is a massive privacy violation: every search a user makes is sent to anonymous third-party brokers. Second, because the operators control the web traffic, they can easily switch from showing regular search results to injecting phishing links or malicious downloads at any time—all without ever updating the extension code itself.
*Research by Jean-Marie R. (Toborrm9) | Malicious Extension Sentry Project | June 09, 2026*