# [HIGH] 152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic **Source:** The Hacker News **Published:** 2026-06-15 **Article:** https://thehackernews.com/2026/06/152-chrome-wallpaper-extensions-with.html ## Threat Profile 152 Chrome Wallpaper Extensions with 105K Installs Linked to Adware and Fake Traffic  Ravie Lakshmanan  Jun 15, 2026 Browser Security / Privacy Cybersecurity researchers have discovered a network of 152 Google Chrome extensions that act as new tab live wallpaper add-ons to distribute a potentially unwanted program (PUP) family. The cluster spans 38 separate Chrome Web Store publisher accounts and three brand backends: tabplugins[.]com, yowgames[.]com, and chromewallpaper[.]com. They have bee… ## Indicators of Compromise (high-fidelity only) - **IPv4 (defanged):** `147.79.120.202` - **IPv4 (defanged):** `92.112.198.22` - **Domain (defanged):** `tabplugins.com` - **Domain (defanged):** `yowgames.com` - **Domain (defanged):** `chromewallpaper.com` - **Domain (defanged):** `owhit.com` - **Domain (defanged):** `avads.live` ## MITRE ATT&CK Techniques - **T1176** — Browser Extensions - **T1539** — Steal Web Session Cookie - **T1555.003** — Credentials from Web Browsers - **T1071** — Application Layer Protocol ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Suspicious browser extension installation `UC_BROWSER_EXT` · phase: **install** · confidence: **Medium** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Registry where (Registry.registry_path="*\Software\Google\Chrome\Extensions\*" OR Registry.registry_path="*\Software\Microsoft\Edge\Extensions\*" OR Registry.registry_path="*\Software\Mozilla\Firefox\Extensions\*") by Registry.dest, Registry.registry_path, Registry.registry_value_data, Registry.registry_value_name, Registry.user | `drop_dm_object_name(Registry)` ``` **Defender KQL:** ```kql DeviceRegistryEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where RegistryKey has_any ("\Software\Google\Chrome\Extensions\","\Software\Microsoft\Edge\Extensions\","\Software\Mozilla\Firefox\Extensions\") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessAccountName ``` ### Infostealer — non-browser process accessing browser cookie/login DBs `UC_BROWSER_STEALER` · phase: **actions** · confidence: **High** **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where (Filesystem.file_path="*\Google\Chrome\User Data\*\Login Data*" OR Filesystem.file_path="*\Google\Chrome\User Data\*\Cookies*" OR Filesystem.file_path="*\Microsoft\Edge\User Data\*\Login Data*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\logins.json*" OR Filesystem.file_path="*\Mozilla\Firefox\Profiles\*\cookies.sqlite*") AND NOT Filesystem.process_name IN ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") by Filesystem.dest, Filesystem.process_name, Filesystem.file_path, Filesystem.user | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where InitiatingProcessAccountName !endswith "$" | where FolderPath has_any (@"\Google\Chrome\User Data\", @"\Microsoft\Edge\User Data\", @"\Mozilla\Firefox\Profiles\") | where FileName in~ ("Login Data","Cookies","logins.json","cookies.sqlite") | where InitiatingProcessFileName !in~ ("chrome.exe","msedge.exe","firefox.exe","brave.exe","opera.exe") | project Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessFileName, FolderPath, FileName, ActionType ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Network connections to article IPs / domains** ([template](../_TEMPLATES.md#network-ioc)) — phase: **c2**, confidence: **High** - IP / domain IOC(s): `147.79.120.202`, `92.112.198.22`, `tabplugins.com`, `yowgames.com`, `chromewallpaper.com`, `owhit.com`, `avads.live` ## Why this matters Severity classified as **HIGH** based on: IOCs present, 3 use case(s) fired, 4 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.