Stealthy browser extensions waited years before infecting 4.3M Chrome, Edge users with backdoors and spyware
Summary
Security researchers at Koi have uncovered a seven-year campaign, dubbed ShadyPanda, that turned otherwise legitimate Chrome and Edge extensions into backdoors and spyware, infecting around 4.3 million users. The attackers published benign extensions, accumulated installs and trust (Featured/Verified statuses), then pushed malicious updates that auto-updated across existing users. The malware enabled remote code execution in the browser, full surveillance, injection into HTTPS pages and exfiltration of browsing data to servers in China. Some malicious extensions remain live in the Microsoft Edge store.
Key examples include Clean Master (published by Starlab Technology) which was part of a five-extension cluster that received a backdoor update after 300,000+ downloads, and WeTab, with ~3 million installs, which streams URLs, search queries, click and interaction data, fingerprints and storage access to multiple domains. Koi traced additional campaigns that monetised browsing via affiliate injection and hijacked searches, highlighting gaps in how marketplaces monitor extensions after approval.
Key Points
- ShadyPanda ran a multi‑phase campaign over seven years, compromising about 4.3 million Chrome and Edge users.
- Attack method: publish benign extensions, build installs and trust, then silently push malicious updates that auto‑propagate to all users.
- Malware capabilities include remote code execution in the browser, content injection (even into HTTPS), hourly command checks, and arbitrary JavaScript execution with full extension API access.
- Data exfiltrated: visited URLs, referrers, timestamps, persistent UUIDs, full browser fingerprints, search queries, click/interactions and stored data; some traffic went to servers located in China (including Baidu domains).
- Examples: Clean Master (200k+ installs in one cluster) and WeTab (~3M installs) — some Edge extensions with millions of installs are still live in the Microsoft Edge store.
- Some campaigns monetised visits by injecting affiliate codes and Google Analytics trackers; another redirected searches to hijack sites and logged keystrokes.
- Extensions include anti‑analysis features and can behave benignly when developer tools are opened, complicating detection.
- Google says the offending extensions are not on the Chrome Web Store now; Microsoft had not commented and several malicious Edge entries remained active at reporting time.
Why should I read this?
Quick and dirty: if you or your users run browser extensions, this matters — badly. Developers and sysadmins, check your extension lists, strip out anything you don’t need, and force audits. We’ve saved you the grief of sifting through the long report: this story shows marketplaces can be gamed by patient attackers who weaponise trust with a single update.
Author style
Punchy: This is urgent for anyone who cares about endpoint hygiene or data leakage. The scale (millions infected) and the stealthy update tactic mean the details matter — particularly the persistence of active malicious extensions in Edge and the RCE-capable backdoor framework that can be pushed at any time.