ACCORDING to SecuritySnacks, a Chrome extension impersonating Google's Authenticator has been identified as part of an ongoing malicious campaign active since at least early 2026, with the AiFrame infrastructure linked to multiple extensions under the whitelab[.]studio umbrella. The campaign involves five or more extensions sharing a developer front, using dormant or over-privileged permissions and hidden iframes to inject attacker-controlled content and communicate with C2 servers.
The AiFrame operation reportedly compromised over 260,000 users from 2025 to the present, and newer extensions demonstrate steps to bypass detection while targeting security-conscious individuals who may hand over 2FA credentials. Among the highlighted extensions is the Whitelab’s AI Chat to PDF, described as malware in disguise that posts telemetry to a C2 and acts as a remote control/storage proxy, with a 241KB content script injected into every page.
The report notes links to domains such as appbox[.]space and authenticator.whitelab[.]studio, and references earlier LayerX and Koi Research analyses describing similar campaigns and tactics.