BotBeat
...
← Back

> ▌

MicrosoftMicrosoft
RESEARCHMicrosoft2026-03-05

Typosquatted 'Microsoft Clairty' Domain Distributes Ad Fraud Malware via Browser Extension

Key Takeaways

  • ▸A malicious browser extension is injecting ad fraud scripts from msclairty[.]com, a typosquatted domain impersonating Microsoft Clarity analytics service
  • ▸The malware deletes tracking cookies, performs affiliate cookie stuffing, and hijacks browser APIs to redirect referral revenue to attackers
  • ▸The campaign exclusively targets Chrome users on Windows 10 desktop systems and has been active since March 2, 2026, with daily rotating campaign identifiers
Source:
Hacker Newshttps://cside.com/blog/microsoft-clairty-isnt-microsoft-clarity-deobfuscating-a-typosquatted-ad-fraud-script↗

Summary

Security researchers at cside have discovered a sophisticated ad fraud campaign using the typosquatted domain msclairty[.]com to impersonate Microsoft's legitimate Clarity analytics service. The malicious domain, which transposes the letters 'i' and 'r' in 'clarity,' is being used to distribute obfuscated JavaScript payloads through an unidentified Chrome browser extension. The campaign was first detected on March 2, 2026, and has been observed across multiple unrelated websites spanning transportation, SaaS, sports management, and government sectors.

The malicious script performs several harmful actions once injected into visitors' browsers, including deleting Google Analytics cookies, stuffing affiliate cookies with the value 'pub=twsc' to hijack referral revenue, injecting hidden iframes to discounthero[.]org, and hijacking the Fetch API. Notably, no security tools currently flag this domain as malicious, making it particularly dangerous. The attack follows a two-stage loading pattern with daily rotating campaign identifiers, indicating active maintenance and sophisticated infrastructure.

Researchers identified the malware exclusively targeting Chrome users on Windows 10 x64 desktop systems, with no infections observed on Firefox, Safari, Edge, or mobile platforms. All affected traffic originated from US-based residential IP addresses on the East and West coasts. The campaign uses identical obfuscated payloads across all affected sites, with the common denominator being the end user's browser rather than compromised website code. This represents the first public documentation of the msclairty[.]com threat, which appears designed to redirect affiliate marketing revenue to malicious actors while evading detection through clever domain typosquatting.

  • No security tools currently detect this domain as malicious, and the specific browser extension responsible has not yet been identified
  • Affected sites span multiple industries including government payment portals, with all traffic originating from US residential IP addresses
CybersecurityMarketing & AdvertisingGovernment & DefensePrivacy & DataMisinformation & Deepfakes

More from Microsoft

MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Aion' Project Reveals Vision for Copilot-First Operating System

2026-07-04
MicrosoftMicrosoft
PRODUCT LAUNCH

Microsoft Launches $2.5B Frontier Company for Enterprise AI Deployments

2026-07-02
MicrosoftMicrosoft
RESEARCH

Microsoft's Leaked 'Project Aion' Reveals Radical Copilot-First OS Without Start Menu

2026-07-02

Comments

Suggested

LLM Agent EcosystemLLM Agent Ecosystem
RESEARCH

Researchers Expose Critical Payload-Less Attack on LLM Agent Supply Chains

2026-07-04
OpenAIOpenAI
INDUSTRY REPORT

Investigation Uncovers AI-Generated Deepfakes in Lily Jay Foundation Charity Fraud

2026-07-04
AppleApple
RESEARCH

Researchers Discover Six Vulnerabilities in Apple AirDrop and Google/Samsung Quick Share Protocols

2026-07-04
← Back to news
© 2026 BotBeat
AboutPrivacy PolicyTerms of ServiceContact Us