Full Report
A long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser extensions that evolved into malware. [...]
Analysis Summary
# Threat Actor: ShadyPanda
## Attribution & Identity
Threat actor identified as "ShadyPanda." The operation has been active since at least 2018. No specific nation-state or established cybercriminal group beyond the "ShadyPanda" designation is mentioned in the provided context.
## Activity Summary
ShadyPanda is a long-running malware operation that has leveraged Google Chrome and Microsoft Edge browser extensions to deploy spyware and conduct various forms of fraud/hijacking. The operation unfolded in four distinct phases utilizing 145 malicious extensions:
1. **Initial Phase (c. 2018):** Extensions were initially submitted, gaining reputation over time.
2. **Phase 2 (Observed in 2023):** Extensions began engaging in affiliate fraud by injecting tracking codes from eBay, Booking.com, and Amazon into legitimate links for revenue generation.
3. **Phase 3 (Early 2024):** Became bolder, deploying search hijacking (e.g., redirecting queries to `trovi[.]com`). Certain well-reputed extensions were updated to include a backdoor for Remote Code Execution (RCE).
4. **Phase 4 (Current Active Phase):** Concerns five Microsoft Edge extensions published by 'Starlab Technology' (since 2023) that act as spyware, accumulating 4 million installs.
## Tactics, Techniques & Procedures
- **Distribution via Malicious Extensions:** Deploying seemingly legitimate applications on the Chrome Web Store and Microsoft Edge Add-ons platform.
- **Phased Malicious Evolution:** Gradually introducing malicious functionality via updates to maintain legitimacy.
- **Affiliate Fraud:** Injecting tracking codes into user links to redirect purchases to the threat actor's benefit.
- **Search Hijacking:** Redirecting user search queries.
- **Remote Code Execution (RCE) Backdoor:** Updating extensions to allow for execution of arbitrary JavaScript with full browser API access upon receiving instructions from a C2 server.
- **Data Exfiltration:** Stealing browsing history, search queries, keystrokes, mouse clicks (with coordinates), fingerprinting data, local/session storage, and cookies.
- **Encryption:** Exfiltrating sensitive data (browsing URLs, fingerprinting, persistent identifiers) using AES encryption.
## Targeting
- **Sectors:** Not explicitly detailed, but affiliate fraud suggests an interest in e-commerce and travel sectors indirectly. The focus is on general browser users.
- **Geography:** Data exfiltration in the final phase targets **17 domains in China**, suggesting C2 infrastructure or data processing/storage is based there.
- **Victims:** Over **4.3 million installations** across various users. Notably, the 'Clean Master' extension achieved 200,000 installs before detection.
## Tools & Infrastructure
- **Malware Families Used:** The core functionality is delivered via malicious browser extensions (Chrome and Edge). These extensions host a **remotely configurable RCE backdoor framework**.
- **Infrastructure (Defanged):**
- C2 for RCE check-ins: `api.extensionplay[.]com`
- Data exfiltration (Phase 3): `api[.]cleanmasters[.]store`
- Data exfiltration (Search hijacking): `dergoodting[.]com`
- Data exfiltration (Search hijacking): `trovi[.]com` (used for redirection)
- Data exfiltration (Search hijacking): `gotocdn` subdomains
- Current Spyware C2/Data Sink: **17 domains located in China**.
## Implications
ShadyPanda represents a significant, long-term supply chain risk within browser extension platforms. The actors demonstrated patience, building reputation over several years (2018-2024) before deploying highly invasive spyware capabilities. The shift from simple affiliate fraud to RCE and persistent data theft indicates a growing sophistication and desire for high-value intelligence, not just revenue generation. The scale (4.3M installs) suggests potential for widespread compromise across individual users globally.
## Mitigations
- **Immediate Extension Audit:** Users should immediately search for and remove known malicious extensions, paying special attention to those published by 'Starlab Technology' or those related to 'Clean Master' or 'Infinity V+.'
- **Vendor Coordination:** Users accessing Microsoft Edge Add-ons store should note that platform hygiene lagged behind Google's in removing these threats.
- **Principle of Least Privilege:** Review and severely restrict the permissions granted to installed browser extensions. (Though this actor leverages the necessary permissions for browser API interaction for their goals).
- **Behavioral Monitoring:** Monitor outbound network traffic from end-user workstations for connections to known C2 domains or high volumes of unencrypted/encrypted data egress to suspicious endpoints.