CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

First reported
Last updated
4 unique sources, 4 articles

Summary

Hide ▲

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. Five of the extensions started as legitimate programs before malicious changes were introduced in mid-2024. The Clean Master extension was featured and verified by Google, allowing attackers to expand their user base and issue malicious updates without suspicion. The extensions engage in adversary-in-the-middle (AitM) attacks to facilitate credential theft, session hijacking, and arbitrary code injection into any website. The WeTab extension is still available for download as of the article's publication date. The extensions injected affiliate tracking codes silently every time the victim clicked on eBay, Amazon, or Booking.com links. They also deployed Google Analytics tracking to monetize browsing data, logging every website visit, search query, and click pattern. The Infinity V+ extension redirected web searches through the browser hijacker trovi.com. The extensions used malicious code to read victims’ cookies and send the data to nossl.dergoodting.com, creating unique identifiers without users’ consent or knowledge. They captured users’ input in the search box, profiling their interests in real time. The extensions checked an external server for instructions and executed arbitrary JavaScript code every hour, with full browser API access. They executed a payload designed to exfiltrate browser data to remote servers, collecting visited URLs, HTTP referrers, timestamps, persistent UUID4 identifiers, and complete browser fingerprints. The WeTab New Tab Page extension, posing as a productivity tool, operates as a sophisticated surveillance platform, sending user data to 17 different domains. The ShadyPanda campaign has been active for seven years, with initial submissions in 2018 and first signs of malicious activity in 2023. ShadyPanda leveraged trusted browser marketplaces to build user bases, operate legitimately for years, then quietly deploy malicious updates. A new Koi Security report identified a remote code execution backdoor affecting 300,000 users across five extensions, including Clean Master. The extensions had operated normally since 2018, until a mid-2024 update enabled hourly downloads of arbitrary JavaScript. The malware logged website visits, exfiltrated encrypted browsing histories, and gathered full browser fingerprints. A parallel spyware operation reached more than 4 million users through five additional Microsoft Edge extensions, most notably WeTab, which alone accounted for 3 million installs. These extensions collected every URL visited, search term, mouse click, and various browser identifiers, with traffic routed to servers in China.

Timeline

  1. 01.12.2025 17:01 4 articles · 1d ago

    ShadyPanda Extensions Evolve into Spyware with 4.3M Installs

    The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware. The extensions engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The spyware component in the current phase of the attack collects browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Five of the extensions started as legitimate programs before malicious changes were introduced in mid-2024. The Clean Master extension was featured and verified by Google, allowing attackers to expand their user base and issue malicious updates without suspicion. The extensions engage in adversary-in-the-middle (AitM) attacks to facilitate credential theft, session hijacking, and arbitrary code injection into any website. The WeTab extension is still available for download as of the article's publication date. The extensions injected affiliate tracking codes silently every time the victim clicked on eBay, Amazon, or Booking.com links. They also deployed Google Analytics tracking to monetize browsing data, logging every website visit, search query, and click pattern. The Infinity V+ extension redirected web searches through the browser hijacker trovi.com. The extensions used malicious code to read victims’ cookies and send the data to nossl.dergoodting.com, creating unique identifiers without users’ consent or knowledge. They captured users’ input in the search box, profiling their interests in real time. The extensions checked an external server for instructions and executed arbitrary JavaScript code every hour, with full browser API access. They executed a payload designed to exfiltrate browser data to remote servers, collecting visited URLs, HTTP referrers, timestamps, persistent UUID4 identifiers, and complete browser fingerprints. The WeTab New Tab Page extension, posing as a productivity tool, operates as a sophisticated surveillance platform, sending user data to 17 different domains. The ShadyPanda campaign has been active for seven years, with initial submissions in 2018 and first signs of malicious activity in 2023. ShadyPanda leveraged trusted browser marketplaces to build user bases, operate legitimately for years, then quietly deploy malicious updates. A new Koi Security report identified a remote code execution backdoor affecting 300,000 users across five extensions, including Clean Master. The extensions had operated normally since 2018, until a mid-2024 update enabled hourly downloads of arbitrary JavaScript. The malware logged website visits, exfiltrated encrypted browsing histories, and gathered full browser fingerprints. A parallel spyware operation reached more than 4 million users through five additional Microsoft Edge extensions, most notably WeTab, which alone accounted for 3 million installs. These extensions collected every URL visited, search term, mouse click, and various browser identifiers, with traffic routed to servers in China.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Matrix Push C2 Malware Delivery via Browser Push Notifications

Cybercriminals are exploiting browser push notifications to deliver malware through a newly discovered command-and-control (C2) platform called Matrix Push C2. This platform tricks users into allowing notifications, which are then used to redirect them to malicious sites, monitor infected clients in real time, and scan for cryptocurrency wallets. The attack is fileless, operating through the browser's notification system without requiring traditional malware files on the system. The campaign is orchestrated via a web-based dashboard that provides real-time intelligence on victims, including detailed information on each infected client. The platform includes analytics and link management tools to measure campaign effectiveness and adjust tactics. Social engineering templates for brands like MetaMask, Netflix, and PayPal are used to maximize the credibility of fake messages. Matrix Push C2 is offered as a malware-as-a-service (MaaS) kit, sold under a tiered subscription model with payments accepted in cryptocurrency. The platform was first observed in October 2025 and has been active since then.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced with a third wave, adding 24 new packages to OpenVSX and Microsoft Visual Studio Marketplace. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure. The third wave of Glassworm uses Rust-based implants packaged inside the extensions and targets popular tools and developer frameworks like Flutter, Vim, Yaml, Tailwind, Svelte, React Native, and Vue. Additionally, a malicious Rust package named "evm-units" was discovered, targeting Windows, macOS, and Linux systems. This package, uploaded to crates.io in mid-April 2025, attracted over 7,000 downloads and was designed to stealthily execute on developer machines by masquerading as an Ethereum Virtual Machine (EVM) unit helper tool. The package checks for the presence of Qihoo 360 antivirus and alters its execution flow accordingly. The references to EVM and Uniswap indicate that the supply chain incident is designed to target developers in the Web3 space.

Open in new tab

Increased Use of ClickFix Attacks by Threat Actors

ClickFix attacks, where users are tricked into running malicious commands by copying code from a webpage, have become a significant source of security breaches. These attacks are used by various threat actors, including the Interlock ransomware group and state-sponsored APTs. Recent data breaches at Kettering Health, DaVita, City of St. Paul, and Texas Tech University Health Sciences Centers have been linked to ClickFix-style tactics. The attacks exploit user behavior and technical gaps in detection to evade security measures and compromise systems. They are delivered through SEO poisoning, malvertising, and other non-email vectors, making them harder to detect and prevent. Effective defense against ClickFix attacks requires browser-based detection and blocking to intercept these threats at the earliest opportunity.

Open in new tab

TikTok Videos Distribute Infostealers via ClickFix Attacks

Cybercriminals are using TikTok videos to distribute information-stealing malware through ClickFix attacks. The videos, disguised as activation guides for popular software like Windows, Spotify, and Netflix, trick users into executing malicious PowerShell commands. These commands download and execute Aura Stealer malware, which steals credentials, cookies, and cryptocurrency wallets. The campaign has been ongoing and is similar to one observed by Trend Micro in May 2025.

Open in new tab

UNC5142 Abuses Blockchain Smart Contracts to Spread Malware via Compromised WordPress Sites

A financially motivated threat actor, UNC5142, has been exploiting blockchain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar on Windows and macOS systems. The attacks leverage compromised WordPress websites and a technique called 'EtherHiding' to hide malicious code on public blockchains. The campaign uses a multi-stage JavaScript downloader named CLEARSHORT to deliver malware, with the first stage interacting with a malicious smart contract on the BNB Smart Chain. The smart contract retrieves a landing page from an external server, which then employs social engineering tactics to infect the system. Google Threat Intelligence Group (GTIG) flagged about 14,000 web pages containing injected JavaScript associated with UNC5142, indicating a broad targeting of vulnerable WordPress sites. However, no activity has been observed since July 23, 2025.

Open in new tab