ShadyPanda Malware Hits 4.3 Million Chrome and Edge Users in a 7-Year Stealth Attack

A newly identified threat actor dubbed “ShadyPanda” has conducted a seven-year browser extension campaign that compromised at least 4.3 million Chrome and Edge users, turning trusted add-ons into surveillance and remote-control tools.

Researchers at Koi Security uncovered multiple coordinated operations that abused official extension marketplaces, including extensions featured and verified by Google, giving the attackers instant credibility and a massive reach.

RCE backdoor and seven-year buildup

In the most dangerous operation, ShadyPanda weaponized five long-standing extensions, including the “Featured” and “Verified” Clean Master, into a remote code execution (RCE) backdoor affecting over 300,000 users.

Initially benign since 2018–2019, these extensions operated legitimately for years to gain users and trust before receiving a malicious update in mid-2024 that turned them into hourly-controlled implants.

Every infected browser now checks an attacker-controlled server (api.extensionplay[.]com) every hour, downloads arbitrary JavaScript, and executes it with full browser API access, effectively giving ShadyPanda a persistent backdoor.

The current payload monitors every website visit, collecting URLs, referrers, timestamps, persistent UUIDs synced across devices, and complete browser fingerprints, then encrypts the data with AES and exfiltrates it to api.cleanmasters.store.

The extensions deploy heavy obfuscation, anti-analysis behavior that turns off malicious functions when developer tools are open, and even a large embedded JavaScript interpreter to evade Content Security Policy.

At the same time, a service worker layer enables man-in-the-middle attacks, content injection, credential theft, and session hijacking over HTTPS.

Even after marketplace removal, the malicious infrastructure remains active on any browser where the extensions are still installed.

Spyware empire and systemic marketplace failure

Alongside the RCE backdoor, ShadyPanda runs a larger spyware operation via five Microsoft Edge extensions published by Starlab Technology, which together have over 4 million installs and remain live in the Edge Add-ons store.

The flagship extension, WeTab 新标签页 (WeTab New Tab Page), with around 3 million installs, tracks every URL visited, all search queries at keystroke level, mouse clicks with pixel precision, browser fingerprints, page interaction data, and storage access, sending data to 17 domains, including multiple Baidu and WeTab servers in China plus Google Analytics.

With broad permissions to access all URLs and cookies, these extensions can be silently updated at any time, allowing ShadyPanda to deploy the same hourly RCE backdoor used in Phase 3 or escalate to targeted espionage and account takeover.

Koi’s analysis traces ShadyPanda’s evolution through four phases: from 2023, when it used 145 “wallpaper” and productivity extensions to hijack e-commerce traffic, to early 2024, when it engaged in search hijacking and cookie exfiltration via extensions like Infinity V+, and finally to long-term trust-building followed by weaponization.

The core weakness exploited in every phase is the marketplace trust model itself: static review at submission, minimal behavioral monitoring afterward, and automatic trusted updates that can instantly convert millions of legitimate installs into a distributed surveillance and RCE platform.

Koi positions its behavioral monitoring and risk-scoring platform as a countermeasure, emphasizing continuous observation of what extensions actually do after installation rather than relying on claims and one-time reviews.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post ShadyPanda Malware Hits 4.3 Million Chrome and Edge Users in a 7-Year Stealth Attack appeared first on Cyber Security News.