Full Report
Researchers from Koi Security have detected 18 malicious Chrome and Edge extensions masquerading as benign productivity and entertainment tools
Analysis Summary
# Tool/Technique: RedDirection Campaign (Browser Extensions)
## Overview
The RedDirection campaign involves a set of 18 malicious browser extensions distributed via the Google Chrome Web Store and Microsoft Edge Add-ons Store. These extensions initially offer seemingly legitimate productivity or entertainment functionalities (e.g., emoji keyboards, volume boosters, dark themes) but secretly implement browser surveillance and hijacking capabilities. The campaign is centralized despite using multiple C2 subdomains.
## Technical Details
- Type: Malware (Browser Extensions)
- Platform: Google Chrome, Microsoft Edge
- Capabilities: Browser surveillance, information theft, advertisement/content redirection/hijacking, insight generation, tracking cookie usage.
- First Seen: Information regarding the first time this specific campaign was identified is implied to be around July 2025 based on the article date, discovered by Koi Security.
## MITRE ATT&CK Mapping
Given the described functions of surveillance and hijacking:
- **TA0009 - Collection**
- T1057 - Process Discovery (Potentially implied by monitoring browser activity)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Via web requests to C2)
- **TA0001 - Initial Access**
- T1588.006 - Obtain Capabilities: Browser Extensions (Distribution via official stores)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (May be used in extension code)
- **TA0006 - Credential Access** (Implied by broader "hijacking" capabilities)
*Note: The specific techniques are inferred based on the high-level description of surveillance and content hijacking, as precise technical details of the executed code were not provided in the summary.*
## Functionality
### Core Capabilities
- Masquerading as tools for productivity, entertainment, or utility (e.g., weather, video speed control, VPN proxies).
- Offering advertised, functional services to maintain user trust.
- Secretly implementing browser surveillance.
### Advanced Features
- Implementing content/advertisement redirection and hijacking.
- Extracting insights and generating reports based on collected data.
- Accessing and storing information on user devices (cookies, potentially browsing history/credentials if "hijacking" is severe).
- Centralized command and control infrastructure despite using separate subdomains for each extension.
- Some extensions were previously verified or featured by Google/Microsoft, suggesting potential supply chain contamination or exploitation of store vetting processes.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: [Not provided in the context, but extensions are listed by function, e.g., "Color Picker, Eyedropper — Geco colorpick"]
- Registry Keys: [Not applicable for browser extensions unless they perform system side-effects]
- Network Indicators: Multiple C2 subdomains are used (defanged and generalized based on context):
- `[C2\_subdomain].com` (Used by various extensions)
- Behavioral Indicators: Modification of displayed web content, unauthorized loading of external scripts, excessive data transmission originating from browser process activity.
## Associated Threat Actors
- Unknown/Unattributed (Centralized infrastructure discovered by Koi Security, campaign dubbed "RedDirection").
## Detection Methods
- Signature-based detection: Detection on file hash or specific manifest features linked to these 18 extensions once identified.
- Behavioral detection: Monitoring browser extension activity for unauthorized content injection, redirection, or unexpected data transmission associated with benign extensions.
- YARA rules: [Not available in the context]
## Mitigation Strategies
- Prevention measures: Users should be highly cautious about installing extensions, even those featured on official stores. Regularly review and remove unnecessary extensions.
- Hardening recommendations: Limit the permissions requested by browser extensions; use enterprise monitoring solutions that focus on extension telemetry (manifest analysis, script execution analysis).
## Related Tools/Techniques
- Malicious Browser Extensions (General category)
- Content Injection Techniques
- Supply Chain Attacks targeting official application stores.