“ShadyPanda,” a sophisticated threat actor responsible for a seven-year campaign that has successfully infected 4.3 million Chrome and Edge users.
By exploiting the inherent trust in browser marketplaces, ShadyPanda weaponized “Featured” and “Verified” extensions to deploy remote code execution (RCE) backdoors and massive spyware operations without triggering traditional security alarms.
The investigation reveals that ShadyPanda’s strategy relied on patience rather than immediate exploitation. The group operated legitimate extensions, such as “Clean Master,” for years to build a user base and earn a trusted status from Google and Microsoft.
Malicious Clean Master
In mid-2024, after building a user base of 300,000, they pushed a silent, malicious update.
This update transformed the extensions into hourly RCE vehicles. Every infected browser now checks a command-and-control server (api.extensionplay[.]com) each hour, downloading and executing arbitrary JavaScript with full browser privileges.
This mechanism allows the actor to dynamically switch payloads from surveillance today to potential ransomware or credential theft tomorrow, completely bypassing static analysis.
4.3 Million Chrome and Edge Users Hacked
While the RCE operation was surgical, ShadyPanda’s Phase 4 campaign is on an industrial scale. Five active extensions in the Microsoft Edge marketplace, including the popular “WeTab,” are currently being used by over 4 million users.
Unlike the removed Chrome extensions, these Edge add-ons remain live. They actively collect comprehensive browser fingerprints, search queries, and full URLs, transmitting the data to servers in China, including Baidu and private infrastructure .
The malware captures mouse clicks with pixel-level precision and exfiltrates browsing history in real-time, effectively turning enterprise and personal browsers into open surveillance devices .
Based on the Koi Security report, here is a detailed breakdown of the specific data points collected and exfiltrated by the ShadyPanda malware campaigns.
Data Exfiltration Method
Data CategorySpecific Details CollectedCampaign / SourceExfiltration MethodBrowsing Activity– Complete URL history of every visited site
– HTTP Referrers (showing navigation origin)
– Navigation patterns and timestampsPhase 3 (Clean Master)
Phase 4 (WeTab)Encrypted AES (Phase 3)
Real-time transmission (Phase 4)User Input & Search– Search queries (Google, Bing, etc.)
– Real-time keystrokes (capturing typos & corrections)
– Pre-search intent (profiling before “Enter” is hit)Phase 2 (Infinity V+)
Phase 4 (WeTab)Unencrypted HTTP (Phase 2)
Transmitted to Baidu/WeTab servers (Phase 4)Device Fingerprinting– User Agent strings
– Operating System & Platform
– Screen resolution & Timezone settings
– System languagePhase 3
Phase 4Used to build unique profiles that survive anti-tracking toolsBehavioral Biometrics– Mouse click coordinates (X/Y positions)
– Specific page elements clicked
– Scroll behavior and depth
– Active time spent on specific pagesPhase 4 (WeTab)High-frequency logging sent to surveillance servers in ChinaIdentity & Storage– Persistent UUID4 identifiers (survives browser restarts)
– Content of localStorage and sessionStorage
– Browser Cookies (enabling session hijacking)Phase 2
Phase 3
Phase 4– Persistent UUID4 identifiers (survive browser restarts)
– Content of localStorage and sessionStorage
– Browser Cookies (enabling session hijacking)
ShadyPanda’s success highlights a critical flaw in the browser security model: trust is static, but code is dynamic. By passing an initial review and waiting years to weaponize the auto-update pipeline, the actor bypassed the primary defense mechanism of the Chrome and Edge stores.
The auto-update feature, designed to keep users secure, became the vector that delivered the infection directly behind enterprise firewalls.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post 4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign appeared first on Cyber Security News.
