Ethical Hacking News
In a disturbing discovery, Koi Security has found that a malicious operation known as "ShadyPanda" has been amassing over 4.3 million installations on Chrome and Edge platforms. This campaign involves the gradual introduction of additional malicious functionality to initially legitimate browser extension tools, resulting in significant financial gains for the attackers through affiliate fraud and other means.
The ShadyPanda campaign is a sophisticated and far-reaching malicious operation that has been discovered by Koi Security, with over 4.3 million installations on Chrome and Edge platforms. The campaign consists of 145 malicious extensions, including 20 Chrome and 125 Edge extensions, that have posed as legitimate browser extension tools to engage in affiliate fraud and other malicious activities. The first signs of malicious activity were observed in 2023, with the initial submissions dating back to 2018. Five extensions from the set, including three uploaded in 2018 and 2019, were modified to include a "backdoor" that enabled remote code execution and exfiltration of user data. The ShadyPanda campaign highlights the importance of staying vigilant when installing browser extensions and regularly monitoring online activity for signs of malicious behavior.
ShadyPanda, a sophisticated and far-reaching malicious operation, has been discovered by Koi Security, with its browser extensions amassing over 4.3 million installations on Chrome and Edge platforms. This campaign, which unfolded in distinct phases, gradually introduced additional malicious functionality to the initially legitimate browser extension tools.
The ShadyPanda campaign consists of 145 malicious extensions, comprising 20 Chrome and 125 Edge extensions, published over the years. While Google has removed these malicious extensions from the Web Store, Koi Security reports that they remain active on the Microsoft Edge Add-ons platform, with one extension listed as having 3 million installs.
The initial submissions of ShadyPanda extensions occurred in 2018, but it was not until 2023 that the first signs of malicious activity were observed. Initially, these extensions posed as wallpaper and productivity tools, engaging in affiliate fraud by injecting tracking codes from eBay, Booking.com, and Amazon into legitimate links to generate revenue from users' purchases.
In early 2024, an extension called Infinity V+ began performing search hijacking, indicating that the ShadyPanda operators were becoming increasingly bold. This extension redirected search queries to trovi[.]com, exfiltrated users' cookies to dergoodting[.]com, and exfiltrated users' search queries to gotocdn subdomains.
In 2024, five extensions from the set, including three uploaded in 2018 and 2019, which had gained a good reputation in the meantime, were modified to include a "backdoor" delivered via an update. This enabled them to perform remote code execution, marking a significant escalation of their malicious capabilities.
"The backdoor isn't malware with a fixed function," explains Koi Security about the functionality. "It's a backdoor." The RCE function also exfiltrates browsing URLs, fingerprinting information, and persistent identifiers to api[.]cleanmasters[.]store, using AES encryption.
A notable extension in this set is Clean Master on the Google Chrome Store, which had 200,000 installs at the time it was detected as malicious. In total, the extensions that carried the same payload had reached 300,000 installs.
The fourth and final phase of the attack concerns five Microsoft Edge extensions published by 'Starlab Technology' in 2023. Since then, these extensions have accumulated 4 million installs. According to Koi Security researchers, these spyware components collect a range of data, sending it to 17 domains in China: browsing history, search queries and keystrokes, mouse clicks with coordinates, fingerprint data, and local/session storage & cookies.
Koi Security notes that these extensions also have sufficient permissions to deliver a similar backdoor seen in the Clean Master set via an update. However, no sign of this more malicious activity has been seen at this time.
The researchers told BleepingComputer that they contacted Google and Microsoft about the malicious extensions. While Google removed them from the Web Store, at the time of writing, BleepingComputer found "WeTab 新标签页" (3 million users) and "Infinity New Tab (Pro)" (650k users) extensions from the publisher still present on the Microsoft Edge Add-ons store.
Users are recommended to remove these malicious extensions immediately and reset their account passwords across their entire online presence. BleepingComputer has contacted both Google and Microsoft about Koi Security's findings, and they will add their statements once they receive a response.
The ShadyPanda campaign serves as a stark reminder of the ever-evolving nature of cyber threats and the importance of staying vigilant in today's digital landscape. As such, users must remain cautious when installing browser extensions and regularly monitor their online activity for signs of malicious behavior.
Summary:
In December 2025, a sophisticated and far-reaching malicious operation known as "ShadyPanda" has been discovered by Koi Security, with its browser extensions amassing over 4.3 million installations on Chrome and Edge platforms. This campaign involved the gradual introduction of additional malicious functionality to initially legitimate browser extension tools, resulting in significant financial gains for the attackers through affiliate fraud and other means. The ShadyPanda operation highlights the importance of staying vigilant when installing browser extensions and regularly monitoring online activity for signs of malicious behavior.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Massive-Malicious-Browser-Extension-Operation-Unpacking-the-ShadyPanda-Campaign-ehn.shtml
https://www.bleepingcomputer.com/news/security/shadypanda-browser-extensions-amass-43m-installs-in-malicious-campaign/
Published: Mon Dec 1 09:19:13 2025 by llama3.2 3B Q4_K_M
