A multi‑year operation dubbed ShadyPanda, analysed by Koi Security, illustrates how seemingly harmless browser add‑ons can quietly turn into powerful spyware. Over the course of the campaign, threat actors published 145 malicious extensions for Google Chrome and Microsoft Edge, amassing more than 4.3 million installations since 2018 and remaining partially active into 2024.
ShadyPanda campaign: scale, targets and attack architecture
According to Koi Security, the threat actors created 20 Chrome extensions and 125 Edge extensions under different brands and publishers. The operation followed a staged approach: the extensions initially behaved like legitimate utilities, then gradually evolved from affiliate fraud to large‑scale data collection and, in some cases, to a full backdoor with remote code execution inside the browser.
Early versions appeared in the official Chrome Web Store and Microsoft Edge Add‑ons catalog as far back as 2018. The first overtly malicious behaviour was only observed from 2023 onwards, aligning with a common tactic in extension abuse: build reputation and a user base first, then deliver harmful updates later via normal update mechanisms.
Evolution of the ShadyPanda malicious browser extensions
Phase 1: affiliate fraud disguised as productivity and customization tools
In the initial phase, the extensions posed as harmless utilities, such as new tab customizers, wallpaper switchers and productivity boosters. Behind the scenes they engaged in affiliate abuse: they silently replaced users’ links with the attackers’ own affiliate IDs for platforms like eBay, Booking.com and Amazon. This allowed the operators to collect commissions on purchases without yet deploying classic spyware payloads.
Phase 2: search hijacking and cookie theft in the browser
By early 2024, the operation escalated. One extension, known as Infinity V+, began intercepting users’ search queries and redirecting them to attacker‑controlled infrastructure, including domains such as trovi[.]com and subdomains under gotocdn. At the same time, the extension started stealing browser cookies, potentially enabling session hijacking — logging into users’ accounts on websites without passwords by reusing their active session tokens.
Phase 3: browser backdoor with remote JavaScript execution
The third phase introduced the most severe capability: a hidden backdoor. Five extensions originally uploaded in 2018–2019, which had already accumulated positive reviews and trust, received updates embedding code that allowed the attackers to execute arbitrary JavaScript with access to the full browser extension API.
The key example highlighted by Koi Security is the Clean Master extension, installed roughly 200,000 times. In total, backdoored extensions in this phase reached about 300,000 installations. Compromised browsers contacted the command‑and‑control (C2) server roughly every hour, pulling new commands and effectively acting as controllable clients within a covert cyber‑espionage network.
Phase 4: mass data collection via Edge extensions from Starlab Technology
The currently active fourth phase revolves around five Microsoft Edge extensions published in 2023 by a vendor identified as Starlab Technology. These add‑ons were installed more than 4 million times and are primarily focused on stealthy collection of sensitive user data rather than immediately visible malicious behaviour.
What data the ShadyPanda spyware extensions collect
Koi Security reports that data harvested by the ShadyPanda extensions is exfiltrated to at least 17 domains hosted in China. The typical data set includes:
• full browsing history and search queries;
• details of visited websites and currently active tabs;
• browser and device information (version, language, OS, screen resolution);
• unique identifiers and technical metadata useful for long‑term tracking;
• cookies and session data accessible to the extension.
The code architecture of these extensions allows operators to push more aggressive functionality at any time via an update, including backdoor logic similar to that seen in Clean Master. While no such escalation has yet been publicly documented for the current Edge extensions, the design clearly enables it.
Vendor response and security risks for Chrome and Edge users
Following disclosure, Google removed the identified malicious extensions from the Chrome Web Store. However, Koi Security noted that at the time of its report, at least two suspicious extensions remained available in the Microsoft Edge Add‑ons catalog: WeTab (around 3 million users) and Infinity New Tab (Pro) (about 650,000 installations).
The risk goes far beyond intrusive advertising. A browser extension with a backdoor and remote code execution capabilities can access the content of web pages, authentication tokens, form fields and other sensitive data handled directly in the browser. Similar misuse of extensions has led in past incidents to large‑scale data leaks and credential theft, underscoring that add‑ons must be treated as high‑privilege software rather than cosmetic extras.
Security specialists recommend that users immediately remove questionable extensions, especially those named in recent reports, and change passwords for all critical online services, including email, social networks, backup services and online banking. Where multi‑factor authentication (MFA) is enabled, users should review trusted devices and active sessions for signs of compromise.
For both individuals and organizations, the ShadyPanda campaign is a reminder that browser extension security deserves the same attention as any other software. Regularly auditing installed add‑ons, uninstalling anything unused, preferring well‑known and transparent developers, and monitoring for unexpected changes in browser behaviour significantly reduces risk. Enterprises should enforce extension allow‑lists or centralized policies to block unvetted plugins. The fewer unnecessary extensions are installed, the lower the chance that the next “convenient” add‑on will turn out to be part of a long‑running spyware operation like ShadyPanda.
