Two Google Chrome extensions distributed under the common name Phantom Shuttle have been identified as malicious tools that silently intercept browser traffic and exfiltrate sensitive data instead of providing the promised proxy service. According to researchers at Socket, the campaign has been active since at least 2017, indicating a long‑running and relatively successful operation.
Targeting Chinese Users Through a Fake Chrome Proxy Service
The primary targets of Phantom Shuttle are users in China, including employees of foreign trade and cross‑border businesses who routinely test website availability from different regions. By posing as a legitimate proxy and network speed testing solution, the extensions blend seamlessly into everyday workflows where proxy tools are a normal part of operations.
Both extensions are published in the Chrome Web Store under a single developer account and advertised as services for traffic proxying and network quality monitoring. Access to “premium” features is sold via subscription plans ranging from approximately 1.4 to 13.6 USD, reinforcing the appearance of a lawful commercial product and lowering suspicion among users.
How Phantom Shuttle Gains Full Visibility Into Chrome Traffic
Abusing Chrome Proxy Settings for Complete Traffic Redirection
The core capability of Phantom Shuttle is the redirection of all or most Chrome web traffic through attacker‑controlled proxy servers. The extensions connect to these proxies using hard‑coded credentials, while the malicious logic is injected at the beginning of a popular version of the jQuery library, making it easy to overlook during casual code review.
To hide critical configuration data, the developers employ a custom index‑based character encoding scheme. This obfuscation conceals embedded accounts and settings, helps evade basic static analysis, and reduces the likelihood that automated extension review systems will flag the code as suspicious.
Dynamic Proxy Auto‑Configuration and Selective Domain Targeting
For flexible control over which traffic is intercepted, Phantom Shuttle modifies Chrome proxy settings using a PAC (Proxy Auto‑Configuration) script. A PAC file is a small JavaScript program that tells the browser what proxy to use for each request. By manipulating this mechanism, the extensions automatically decide which connections must pass through the malicious nodes and which may go directly to their destination.
In the default configuration, named “smarty mode”, more than 170 domains are routed through the attacker’s proxies. The list includes developer platforms, cloud service consoles, social networks, and adult content sites—categories where login flows, token exchanges, and other sensitive transactions are especially common.
At the same time, the PAC script explicitly excludes local network ranges and the attackers’ own command‑and‑control (C2) infrastructure from proxying. This reduces the risk of breaking the malware’s own communications and helps avoid anomalies in network traffic that could expose the operation.
Stolen Cookies, Passwords, and API Tokens: Impact of the Attack
Intercepting Authentication Requests and Session Data
Using Chrome’s webRequest capabilities and the malicious proxies, the Phantom Shuttle extensions intercept HTTP authentication traffic for any site the victim visits. As a result, the operators can collect:
- usernames and passwords for online accounts;
- payment card details and other transaction form data;
- personal and contact information submitted via web forms;
- session cookies from HTTP headers;
- API tokens and access keys used by web apps and cloud services.
The theft of session cookies and access tokens is particularly dangerous because it can bypass multi‑factor authentication (MFA). When an attacker reuses a valid session cookie or bearer token, they can often impersonate the victim without needing to know the password or provide second‑factor codes.
Why Malicious Chrome Extensions Remain a Persistent Threat
Despite continuous improvements in automated review and abuse detection, the Chrome Web Store remains an attractive distribution channel for malicious extensions. Phantom Shuttle illustrates several techniques that adversaries use to avoid scrutiny:
- creating a plausible business use case (proxy and network testing service);
- offering subscription‑based monetization to mimic legitimate SaaS products;
- embedding malicious logic inside trusted third‑party libraries such as jQuery.
According to Socket’s research, both Phantom Shuttle extensions were still available in the Chrome Web Store at the time of their publication. Similar incidents have been observed in past campaigns, where extensions with millions of installations were later found to be exfiltrating browsing data or injecting ads, highlighting the inherent challenge of securing browser ecosystems.
Security Best Practices for Users and Organizations
To reduce exposure to threats from malicious Chrome extensions and proxy tools, both individuals and enterprises should adopt the following practices:
- Limit the number of installed extensions and regularly review them, removing anything unused or unfamiliar.
- Carefully check the developer identity, ratings, reviews, and requested permissions before installation.
- Avoid extensions that request full access to data on all visited websites unless this is strictly necessary for the intended functionality.
- In corporate environments, enforce centralized Chrome policies that restrict installations to a vetted allowlist of extensions.
- Deploy web proxy, Secure Web Gateway, and endpoint monitoring solutions capable of detecting unusual proxy settings, suspicious PAC files, and anomalous outbound connections.
The Phantom Shuttle case underscores that even official extension stores cannot guarantee complete safety. Sustainable protection requires a combination of informed tool selection, basic cybersecurity hygiene, and robust browser governance. Users and organizations should stay alert to new reports of malicious Chrome extensions and proxy‑based attacks, update internal security policies accordingly, and educate staff to treat traffic‑manipulating tools—such as proxy, VPN, and “accelerator” plugins—with heightened caution.
