Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware

The Hacker News by The Hacker News
December 1, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time.

Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, according to a report from Koi Security, attracting 300,000 installs. These extensions have since been taken down.

“These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access,” security researcher Tuval Admoni said in a report shared with The Hacker News. “They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.”

To make matters worse, one of the extensions, Clean Master, was featured and verified by Google at one point. This trust-building exercise allowed the attackers to expand their user base and silently issue malicious updates years later without attracting any suspicion.

Meanwhile, another set of five add-ons from the same publisher is designed to keep tabs on every URL visited by its users, as well as record search engine queries and mouse clicks, and transmit the information to servers located in China. These extensions have been installed about four million times, with WeTab alone accounting for three million installs.

Cybersecurity

Early signs of malicious activity were said to have been observed in 2023, when 20 extensions on the Chrome Web Store and 125 extensions on Microsoft Edge were published by developers named “nuggetsno15” and “rocket Zhang,” respectively. All the identified extensions masqueraded as wallpaper or productivity apps.

These extensions were found to engage in affiliate fraud by stealthily injecting tracking codes when users visited eBay, Booking.com, or Amazon to generate illicit commissions from users’ purchases. In early 2024, the attack shifted from seemingly harmless injections to active browser control through search query redirection, search query harvesting, and exfiltration of cookies from specific domains.

“Every web search was redirected through trovi.com – a known browser hijacker,” Koi said. “Search queries logged, monetized, and sold. Search results manipulated for profit.”

At some point in mid-2024, five extensions, three of which had been operating legitimately for years, were modified to distribute a malicious update that introduced backdoor-like functionality by checking the domain “api.extensionplay[.]com” once every hour to retrieve a JavaScript payload and execute it.

The payload, for its part, is designed to monitor every website visit and send the data in encrypted format to a ShadyPanda server (“api.cleanmasters[.]store”), along with a detailed browser fingerprint. Besides using extensive obfuscation to conceal the functionality, any attempt to access the browser’s developer tools causes it to switch to benign behavior.

Furthermore, the extensions can stage adversary-in-the-middle (AitM) attacks to facilitate credential theft, session hijacking, and arbitrary code injection into any website.

The activity moved to the final stage when five other extensions published around 2023 to the Microsoft Edge Addons hub, including WeTab, leveraged its huge install base to enable comprehensive surveillance, including gathering every URL visited, search queries, mouse clicks, cookies, and browser fingerprints.

They also come fitted with capabilities to collect information about how a victim interacts with a web page, such as the time spent viewing it and scrolling behavior. The WeTab extension is still available for download as of writing.

Cybersecurity

The findings paint the picture of a sustained campaign that transpired over four distinct phases, progressively turning the browser extensions from a legitimate tool into data-gathering spyware. However, it bears noting that it’s not clear if the attackers artificially inflated the downloads to lend them an illusion of legitimacy.

Users who installed the extensions are recommended to remove them immediately and rotate their credentials out of an abundance of caution.

“The auto-update mechanism – designed to keep users secure – became the attack vector,” Koi said. “Chrome and Edge’s trusted update pipeline silently delivered malware to users. No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance platforms.”

“ShadyPanda’s success isn’t just about technical sophistication. It’s about systematically exploiting the same vulnerability for seven years: Marketplaces review extensions at submission. They don’t watch what happens after approval.”



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
India Orders Phone Makers to Pre-Install Sanchar Saathi App to Tackle Telecom Fraud

India Orders Phone Makers to Pre-Install Sanchar Saathi App to Tackle Telecom Fraud

Recommended.

Il Ministero dell’istruzione brasiliano, l’UNESCO e Huawei lanciano i progetti di trasformazione digitale Open Schools a Bahia e Pará

Il Ministero dell’istruzione brasiliano, l’UNESCO e Huawei lanciano i progetti di trasformazione digitale Open Schools a Bahia e Pará

September 13, 2025
European companies double down on China manufacturing despite EU de-risking push

European companies double down on China manufacturing despite EU de-risking push

May 27, 2026

Trending.

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

Dell’s Infrastructure Blitz: Private Cloud, PowerStore Elite, PowerEdge In Spotlight At Dell Technologies World 2026

May 19, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio