Full Report
In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into
Analysis Summary
# Threat Actor: ShadyPanda
## Attribution & Identity
* **Identified Name:** ShadyPanda
* **Known Aliases/Groups:** Not explicitly named, but characterized as a cybercrime group.
* **Known Associations:** None specified beyond the campaign name.
## Activity Summary
ShadyPanda conducted a massive, long-running cybercrime campaign leveraging legitimate browser extensions. The campaign spanned seven years leading up to its exposure in early December 2025. The central tactic involved acquiring or publishing seemingly harmless Chrome and Edge browser extensions, running them cleanly for years to build a large user base (up to 4.3 million installs), and then suddenly activating them via silent updates to deliver malware. The malicious activity was reportedly activated in mid-2024.
## Tactics, Techniques & Procedures
* **Supply Chain Compromise (Browser Extension Focus):** Publishing or acquiring popular, seemingly legitimate extensions built for Chrome and Edge.
* **Long-Game Deception:** Allowing extensions to run clean for years to build user trust and achieve millions of installs.
* **Silent Malicious Updates:** Pushing malicious code via automatic, background extension updates without user consent or awareness.
* **Evasion/Trust Building:** Obtaining features and verified badges in the official Chrome Web Store and Microsoft Edge Add-ons sites to reinforce user confidence.
* **Post-Compromise Capabilities (Malware Flip):**
* Establishing a **Remote Code Execution (RCE)** framework within the browser.
* Downloading and running arbitrary JavaScript.
* Spyware functions: Monitoring keystrokes and URLs.
* Injecting malicious scripts into web pages.
* **Data Exfiltration:** Stealing browsing data and credentials.
* **Session Hijacking:** Stealing session cookies and authentication tokens (bypassing MFA).
* Impersonation of SaaS accounts (e.g., Microsoft 365, Google Workspace) using hijacked tokens.
* **MITRE ATT&CK IDs:** Not explicitly mentioned in the text, but activities align broadly with T1189 (Drive-by Compromise) and T1552 (Credentials Access) leading to SaaS application compromises.
## Targeting
* **Sectors:** SaaS (Software as a Service) organizations are explicitly mentioned as high-risk targets due to reliance on session tokens for access to services like Slack, Salesforce, and Office suites. General browser users are the initial entry vector.
* **Geography:** Not specified, but targeting Chrome and Edge users implies a global scope.
* **Victims:** Individuals who installed the 5.20+ million (total) or 4.3 million (compromised) extensions. The secondary victims are the enterprises whose SaaS environments (Microsoft 365, Google Workspace) were compromised via stolen session cookies.
## Tools & Infrastructure
* **Malware Families Used:** A framework capable of RCE, spyware, keystroke logging, and token theft delivered via extension updates.
* **Infrastructure (C2, domains, IPs):** Not specified/detailed in the provided text.
## Implications
ShadyPanda's campaign highlights a critical modern threat vector that bridges endpoint security and SaaS identity security. By successfully hijacking authenticated browser sessions, the actor effectively bypassed traditional Multi-Factor Authentication (MFA), granting them unfettered access to sensitive cloud environments (email, files, chat) without triggering standard security alerts. This blurs the line between endpoint compromise and cloud security failure.
## Mitigations
* Enforce **Extension Allow Lists and Governance** to regain control over extensions running in the environment.
* Conduct thorough audits of all installed extensions.