A sophisticated, seven-year cyber espionage campaign orchestrated by a threat actor known as ShadyPanda has compromised over 4.3 million users of Google Chrome and Microsoft Edge. The group weaponized popular browser extensions, transforming them into spyware and remote-code execution tools through a series of stealthy updates. This long-term operation exploited the trust users placed in seemingly legitimate applications, turning them into surveillance platforms.

Key Takeaways

• Massive Scale: Over 4.3 million users affected across Chrome and Edge.

• Long-Term Operation: Campaign spanned seven years, evolving in phases.

• Trust Exploitation: Legitimate extensions were gradually updated with malicious code.

• Data Exfiltration: Sensitive browsing data, search queries, and user activity were stolen.

• Marketplace Vulnerability: The campaign highlighted weaknesses in extension review processes.

The Evolution of ShadyPanda's Attack

The ShadyPanda campaign unfolded in four distinct phases, progressively increasing its malicious capabilities. Initially, the group focused on affiliate fraud, injecting tracking codes into shopping links on popular e-commerce sites like Amazon and eBay to generate illicit commissions. This phase involved extensions that appeared to be harmless utilities.

Escalation to Spyware and Backdoors

By early 2024, the operation escalated to search hijacking and cookie theft, with extensions redirecting search queries and exfiltrating user data. The most alarming phase began in mid-2024 when several extensions, some active since 2018, received malicious updates introducing a remote-code execution (RCE) backdoor. These compromised extensions would hourly contact a control server to download and execute arbitrary JavaScript, granting attackers full browser privileges.

Active Spyware Empire on Edge

While malicious extensions have been removed from the Chrome Web Store, a significant portion of the campaign remains active on the Microsoft Edge Add-ons platform. Five extensions, published by 'Starlab Technology' in 2023, collectively boast over 4 million installs. These extensions function as active spyware, harvesting extensive user data including browsing history, search queries, mouse movements, and browser fingerprints, transmitting it to servers in China. One of these, 'WeTab New Tab Page,' alone accounts for approximately 3 million installs.

Systemic Vulnerabilities Exposed

ShadyPanda's success is attributed to its exploitation of a fundamental flaw in browser extension marketplaces: extensions are primarily reviewed upon submission, with subsequent updates often undergoing minimal scrutiny. This allows malicious actors to gradually transform trusted applications into dangerous tools without immediate detection. Users are strongly advised to audit their installed extensions, remove any suspicious or unused add-ons, and rotate their passwords as a precautionary measure.

Sources

• ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware, The Hacker News.

• ShadyPanda Malware Hits 4.3 Million Chrome and Edge Users in a 7-Year Stealth Attack, Cyber Press.

• Browser extensions pushed malware to 4.3M Chrome, Edge users • The Register, The Register.

• ShadyPanda browser extensions amass 4.3M installs in malicious campaign, BleepingComputer.

• 'Sleeper’ Extensions: How ShadyPanda Weaponised Trust To Spy On Millions, LinkedIn.