A sophisticated threat group operating under the name ShadyPanda has successfully compromised millions of browser users through a methodical seven-year campaign targeting popular Chrome and Edge extensions.<\/p>\n
The attack represents a significant breach of user trust, as the malicious extensions gained verified status from both Google and Microsoft, making them appear legitimate to unsuspecting users.<\/p>\n
Over this extended period, ShadyPanda infected 4.3 million devices while remaining largely undetected, demonstrating a patient and evolving approach to browser-based attacks.<\/p>\n
The campaign operates in two distinct but interconnected phases. The first involves a remote code execution (RCE) backdoor deployed through five weaponized extensions, including the well-known Clean Master application, which accumulated over 300,000 installations before activation.<\/p>\n
![\"Clean](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiygwOiFOvSnZ8tQG4uthgGpGkwyTBpaLzAK-SL8IClBEPL1Qla3Q_pHIrvuMk76VYKIQ9oaMvAWZXtbHkfbaY4RcA-QfcWOjNlwEx5I_gY53UYoDVyNsTs75Ona3QY3BesROC14PfqLeKRcKlKc1H_ci5bq6XK7Dur71A89gCcRtrkzU_XbhyphenhyphenfCSGCSsA\/s16000\/Clean%2520Master%2520-%2520the%2520malware%2520that%2520was%2520featured%2520by%2520Google%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")
The second phase comprises a massive spyware operation spanning five additional extensions with over 4 million combined installs, particularly the WeTab New Tab Page extension with 3 million users alone.<\/p>\n
This dual-operation structure reveals the threat group\u2019s ability to maintain multiple attack vectors simultaneously while evading detection for extended periods.<\/p>\n
Koi security analysts noted<\/a> and identified that ShadyPanda\u2019s success stems from weaponizing legitimate applications through quiet updates rather than malicious distribution methods.<\/p>\n The group cultivated trust by allowing extensions to operate normally for years, collecting genuine user reviews and building installer counts.<\/p>\n When vulnerable numbers were reached, a single update transformed these trusted tools into surveillance<\/a> instruments, using Chrome and Edge\u2019s automatic update mechanisms to instantly compromise millions of browsers without user interaction or visibility.<\/p>\n The infection mechanism operates with remarkable sophistication through several technical methods. Every infected browser contacts remote servers hourly to retrieve new instructions and execute arbitrary JavaScript code<\/a> with full browser API access.<\/p>\n This creates a persistent backdoor rather than static malware, enabling the threat group to adapt attacks dynamically.<\/p>\n The malicious payload collects complete browsing histories, search queries, website navigation patterns, and precise mouse click coordinates, all encrypted with AES encryption before transmission to servers in China.<\/p>\n To maintain effectiveness against security researchers, the malware employs advanced evasion techniques.<\/p>\n When developer tools are opened, the extension immediately switches to benign behavior, preventing analysis and discovery.<\/p>\n The code uses heavy obfuscation<\/a> through shortened variable names and executes through a 158KB JavaScript interpreter to bypass security policies.<\/p>\n Service workers enable man-in-the-middle capabilities, allowing traffic interception and modification of legitimate files, including credential harvesting from HTTPS connections.<\/p>\n The threat landscape now extends beyond individual consumers to enterprise environments. Developer workstations running infected extensions represent entry points to corporate networks<\/a>, potentially compromising repositories, API keys, and cloud infrastructure access.<\/p>\n Security professionals must immediately audit installed extensions on critical systems and implement behavioral monitoring solutions to detect weaponization patterns that traditional static analysis cannot identify.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post 4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Cookie](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEg0GJ0sLKlPpC3S-L2gy-gzt91-faN18kFpVJSZsz5wv7fjCze8rSnZmwx5H7Ugycyz36ch5sr5dMAaww2J5AdxPqNpmcAVQFpU_lW0gVnwkhsXRvOW5aqLxhrM59sSv2Atx6d-J9Y8wJIJZCuQ0oLKZc_PXdEGFh5rZIIFEF0oirp2_odLHvxG1GB2SQs\/s16000\/Cookie%2520exfiltration%2520%28Source%2520-%2520Koi%29.webp?ssl=1\")
Infection mechanism<\/strong><\/h2>\n