Typosquatted 'Microsoft Clairty' Domain Distributes Ad Fraud Malware via Browser Extension
Key Takeaways
- ▸A malicious browser extension is injecting ad fraud scripts from msclairty[.]com, a typosquatted domain impersonating Microsoft Clarity analytics service
- ▸The malware deletes tracking cookies, performs affiliate cookie stuffing, and hijacks browser APIs to redirect referral revenue to attackers
- ▸The campaign exclusively targets Chrome users on Windows 10 desktop systems and has been active since March 2, 2026, with daily rotating campaign identifiers
Summary
Security researchers at cside have discovered a sophisticated ad fraud campaign using the typosquatted domain msclairty[.]com to impersonate Microsoft's legitimate Clarity analytics service. The malicious domain, which transposes the letters 'i' and 'r' in 'clarity,' is being used to distribute obfuscated JavaScript payloads through an unidentified Chrome browser extension. The campaign was first detected on March 2, 2026, and has been observed across multiple unrelated websites spanning transportation, SaaS, sports management, and government sectors.
The malicious script performs several harmful actions once injected into visitors' browsers, including deleting Google Analytics cookies, stuffing affiliate cookies with the value 'pub=twsc' to hijack referral revenue, injecting hidden iframes to discounthero[.]org, and hijacking the Fetch API. Notably, no security tools currently flag this domain as malicious, making it particularly dangerous. The attack follows a two-stage loading pattern with daily rotating campaign identifiers, indicating active maintenance and sophisticated infrastructure.
Researchers identified the malware exclusively targeting Chrome users on Windows 10 x64 desktop systems, with no infections observed on Firefox, Safari, Edge, or mobile platforms. All affected traffic originated from US-based residential IP addresses on the East and West coasts. The campaign uses identical obfuscated payloads across all affected sites, with the common denominator being the end user's browser rather than compromised website code. This represents the first public documentation of the msclairty[.]com threat, which appears designed to redirect affiliate marketing revenue to malicious actors while evading detection through clever domain typosquatting.
- No security tools currently detect this domain as malicious, and the specific browser extension responsible has not yet been identified
- Affected sites span multiple industries including government payment portals, with all traffic originating from US residential IP addresses
