ShadyPanda Browser Extension Spyware Campaign

A seven-year-long campaign by the threat actor ShadyPanda has turned popular browser extensions into spyware, impacting over 4.3 million installations across Chrome and Edge.

Key Findings

• Initial legitimacy: Several extensions began as trusted tools, including Clean Master, which was even Google-verified.
• Malicious pivot (mid-2024): Legitimate extensions silently updated to include hourly remote code execution, fetching JavaScript payloads from attacker-controlled domains (api.extensionplay[.]com, api.cleanmasters[.]store).
• Capabilities:
  • Full browser access and arbitrary code execution.
  • Monitoring of all website visits.
  • Exfiltration of encrypted browsing history and complete browser fingerprints.
  • Adversary-in-the-middle (AitM) attacks for credential theft, session hijacking, and code injection.
  • Obfuscation and “benign mode” when developer tools are opened.
• Surveillance extensions: Another set of five add-ons (e.g., WeTab, with 3M installs) tracked URLs, search queries, mouse clicks, cookies, and scrolling behavior, sending data to servers in China.
• Earlier phases (2023–2024):
  • Affiliate fraud via injected tracking codes on eBay, Booking.com, Amazon.
  • Browser hijacking: redirecting searches through trovi.com to monetize queries.

Risks

• Mass surveillance: Millions of users unknowingly exposed to continuous monitoring.
• Credential theft: Cookies and session hijacking enable account compromise.
• Supply chain abuse: Auto-update pipelines of Chrome/Edge silently delivered malicious updates.
• Trust exploitation: Extensions verified and featured by marketplaces later weaponized.

Recommended Actions

• For users:
  • Immediately uninstall listed extensions (Clean Master, Speedtest Pro, BlockSite, WeTab, Infinity New Tab variants, etc.).
  • Rotate credentials for accounts accessed via affected browsers.
  • Clear cookies and sessions; enable MFA on critical accounts.
  • Monitor for suspicious login attempts or redirected searches.
• For organizations:
  • Audit employee browsers for malicious extensions.
  • Restrict extension installation to vetted allowlists.
  • Monitor outbound traffic to suspicious domains (api.extensionplay[.]com, api.cleanmasters[.]store).
  • Educate staff about extension risks and enforce browser security policies.

Takeaway

ShadyPanda’s campaign shows how trusted browser extensions can be weaponized post-approval, exploiting the blind spot in extension marketplaces that review code only at submission. The auto-update mechanism, designed for security, became the attack vector.