Security researchers say a long-running campaign known as ShadyPanda installed more than 4.3 million seemingly legitimate Chrome and Microsoft Edge browser extensions that later evolved into spyware and other malicious functionality. The operation, tracked as 145 malicious extensions (20 for Chrome and 125 for Edge), was identified by Koi Security and Google has removed the extensions it hosted, though researchers report several remain available on the Microsoft Edge Add-ons platform.
The campaign’s activity began with submissions as early as 2018 but the first signs of malicious behavior appeared in 2023, when some extensions posing as wallpaper and productivity tools engaged in affiliate fraud by injecting tracking codes for eBay, Booking.com and Amazon into legitimate links. In early 2024 a component called Infinity V+ began search-hijacking activity, redirecting queries to trovi[.]com and exfiltrating cookies and search queries to other domains identified by the researchers.
In 2024 several extensions were updated to include a backdoor that enabled remote code execution inside the browser. Koi Security reported that each infected browser runs a remote code execution framework that periodically checks api.extensionplay[.]com for instructions, downloads arbitrary JavaScript and executes it with full browser API access, making the payload a general-purpose backdoor rather than malware with a fixed function. Koi Security published technical details and a list of related extension IDs.
The backdoor set was also observed exfiltrating browsing URLs, fingerprinting data and persistent identifiers to api[.]cleanmasters[.]store using AES encryption. One Clean Master extension on the Chrome Web Store had about 200,000 installs when detected as malicious, and researchers said extensions carrying the same payload reached roughly 300,000 installs in total.
The fourth phase of activity centers on five Microsoft Edge extensions published in 2023 by an entity named Starlab Technology that researchers say have accumulated about 4 million installs. Koi Security reported the spyware component collects browsing history, search queries and keystrokes, mouse clicks with coordinates, fingerprint data, and local and session storage including cookies, and that data is sent to 17 domains the researchers associate with China. The researchers noted the Edge extensions have permissions sufficient to receive a similar backdoor via an update, although they have not observed that more intrusive behavior to date.
Users are advised to remove suspicious extensions and to reset account passwords if they may have been exposed.