MalExt Sentry reported a Chrome extension campaign called SearchJack that quietly changes users’ default search engine and sends searches through monetization middleware before showing results. The analysis, dated June 9, 2026, identified 23 extensions, about 758,000 affected users, 22 publishers, and at least 8 search monetization brokers.
This is a search hijacker rather than a loud pop-up infection. A user installs an extension that claims to offer maps, satellite imagery, productivity tools, menus, video search, or a cleaner new tab. The extension then uses Chrome’s built-in chrome_settings_overrides manifest key to make its own search URL the default.
Why It Matters
The visible symptom may be small: searches no longer go straight to the engine the user expected. The security issue is larger because each search query can pass through an extension operator, a broker, and an affiliate search path before the final results page appears.
MalExt said the broker layer is visible through the hspart parameter in the final Yahoo Hosted Search redirect. That means the extension name is not the only useful clue. Individual extensions can disappear or be replaced, while the same broker relationship and revenue path keep working through new shells.
This overlaps with classic browser hijacker behavior described in the Potentially Unwanted Programs guide and the adware basics page: the app may look useful, but its real value is changing browser behavior and monetizing the user’s traffic.
Extension Names to Check
The full list in the MalExt report includes extensions such as PerfecTab Search, Quick Search Tool, Better Search, NewTab. Search, Nautilus Search, Earth, Wanderlustar, Template Search, Earth 3D, My Focal Find, Great Start, Fresh Fruit Search, View Menu with Prices, Search Toggler, Easy Login, SearchThatWeb, Freshy Search, Video Search Extension, Get Maps & Driving Directions, Search Anything, Satelliten Earth, Surfer Search, and Fusebase Search.
Examples of associated search or redirect domains include myperfecttab[.]com, query.quicksearchtool[.]com, search.getbettersearch-api[.]com, nautilus-notes[.]com, earthapp[.]net, earth3d[.]net, searchtoggler[.]com, bestfreemaps[.]com, and s.fusebase-search[.]com.
Do not treat this as a complete blocklist. Search-hijacking extensions can rotate names quickly. A better practical check is whether a browser extension changed your default search provider, new tab page, or search URL without a clear reason.
The More Subtle Tricks
MalExt noted that many of the extensions are simple wrappers: a manifest file, a search override, and little else. Others provide a superficial feature so the extension looks normal enough to install and keep.
One example, Nautilus Search, allegedly claimed in its store description that it did not track searches or collect personal information, while the privacy policy disclosed collection of IP addresses, search queries, and technical identifiers. Another, Search Toggler, appeared to provide a search switching interface but still routed queries through its own middleware.
That distinction matters for cleanup. A search hijacker does not need to show constant pop-ups to be risky. If it can route search traffic today, it may be able to put sponsored results, unwanted offers, or unsafe downloads in front of users tomorrow without asking for a new extension permission.
What to Do If Your Search Changed
Open Chrome’s extension page at Settings > Extensions or visit chrome://extensions/. Remove any extension you do not recognize, especially tools that promise generic maps, coupons, menu lookups, tab search, video search, or “better” search results but are not something you deliberately use.
Then reset the search provider. In Chrome, go to Settings > Search engine > Manage search engines and site search. Remove unknown site-search entries and set the default back to the provider you intended to use. Also check On startup and Appearance if the new tab or home button changed.
If the same browser also opens unwanted tabs, shows fake alerts, or keeps asking for notification permission, use the pop-up ads and browser notifications guide. If the installed extension came from a deceptive ad or fake download page, compare it with the recent Chrome wallpaper extension adware campaign, which also used useful-looking browser add-ons to monetize traffic.
Quick Check
Search your browser extension list for names you do not use every day. If an extension controls search, new tab, or site search settings, it should have an obvious reason to do that. If the only thing it seems to do is redirect searches through a branded domain, remove it and reset the browser’s search settings.
Reference
