Newly discovered malicious extensions could be lurking in enterprise browsers

A sprawling surveillance campaign targeting Google Chrome and Microsoft Edge users is just the latest evolution of a seven-year-long project to distribute malicious browser extensions.

By targeting trusted browser extensions and weaponizing them only after they had passed initial acceptance checks and gained a broad following, sometimes over years, a group that Koi has labelled “ShadyPanda” has infected 4.3 million browser instances to harvest browsing data, hijack search results, manipulate traffic, and deploy a backdoor capable of remote code execution.

The risk for enterprises is significant if any of those browsers are on work PCs or on employees’ own devices used to access work resources, Koi warned.

“Infected developer workstations mean compromised repositories and stolen API keys,” security researcher Tuval Admoni said in a post on the Koi Security blog. “Browser-based authentication to SaaS platforms, cloud consoles, and internal tools means every login is visible to ShadyPanda.”

The malicious extensions are no longer being distributed, but organizations with infected machines remain at risk: “Even though the extensions were recently removed from marketplaces, the infrastructure for full scale attacks remains deployed on all infected browsers,” Admoni said.

Multi-year campaign with shifting motives

Koi’s analysis shows that ShadyPanda maintained a multi-year, multi-generational infrastructure of browser extensions dating back to 2017. The group cycled through dozens of extensions, with 20 published to the Chrome Web Store and 125 distributed for Edge.

The earliest extensions focused on affiliate fraud, extracting hidden commissions on victims’ online purchases, later shifting to search-result manipulation. Most recently, they have included sophisticated behavioral tracking, session-data harvesting, and browser fingerprinting surveillance affecting 4 million users, and a backdoor supporting remote code execution (RCE) affecting 300,000.

ShadyPanda played the long game, with extensions including the popular Clean Master utility with 200,000 installs distributed as completely legitimate tools early on, earning them positive user ratings and, in some cases, trust signals such as “Featured” or “Verified” badges in the Chrome Web Store and Microsoft Edge Add-ons store.

No review after submission

This long-term legitimacy built a large user base and may have normalized these extensions inside enterprises, where browser add-ons often pass through with little scrutiny. Only after accumulating trust, and millions of installs, did ShadyPanda push silent malicious updates. It embedded hidden install-tracking routines that mapped user behavior and optimized reach before weaponizing it through a malicious update.

Because Chrome and Edge updates occur automatically and do not require user re-approval for existing permissions, the exploit happened quietly.

“ShadyPanda’s success is about systematically exploiting the same vulnerability for seven years: Marketplaces review extensions at submission,” Admoni said. “They don’t watch what happens after approval.”

Evasion and Man-in-the-Browser tricks

ShadyPanda also invested in staying hidden. Koi found that when developer tools were opened, the malicious logic immediately switched to benign behavior, making manual analysis harder. Obfuscation and controlled activation further obscured the malicious component, ensuring stealth.

Koi noted that some of these extensions were still live in the Edge Add-ons store at the time of disclosure. Clean Master’s publisher, Starlab Technology, launched 5 additional extensions on Microsoft Edge around 2023, picking up over 4 million combined installs. “All 5 extensions are still live in Microsoft Edge marketplace,” Admoni said, adding that two of those are comprehensive spyware.

Google recently removed Clean Master from the Chrome Web Store, and today none of the extensions are available on Chrome Web Store, a Google spokesman said. Microsoft did not immediately respond to CSO’s request for comment.

Like in a man-in-the-middle (MitM) style attack, ShadyPanda effectively positioned itself between users and the websites they visited, inserting tracking logic into pages they loaded. This allowed the attackers to observe and manipulate traffic through the browser, giving the actor continuous visibility into how infected users interacted with the web.

Admoni pointed out that removing the extensions might not help as, presumably, the attackers may already have collected high-value data including cookies, browsing patterns, session tokens, fingerprinting data, etc.

In its blog post, Koi provided a list of malicious Chrome and Edge extensions, along with C2 and data exfiltration domains to support detection efforts.

This article originally appeared on CSO.