A long running operation linked to the threat actor ShadyPanda has been exposed for converting widely installed browser extensions into surveillance tools. The campaign has reportedly been active for about seven years and has accumulated more than 4.3 million installs.
According to Koi Security, five extensions that originally functioned as legitimate utilities were altered in mid 2024 with malicious updates that drew in around 300,000 additional installations before they were removed from official stores.
Security researcher Tuval Admoni told The Hacker News that these extensions began executing hourly remote code instructions, downloading and running any JavaScript sent by the attackers with full access to the victim’s browser. They tracked browsing activity, extracted encrypted histories, and collected detailed fingerprint data from affected systems.
One extension named Clean Master had even been previously highlighted and verified by Google. This early trust helped the group expand its user base and later distribute harmful updates without raising suspicion.
A second batch of extensions from the same publisher was designed to track every URL the user visited, record search queries, capture mouse clicks, and forward the collected data to servers hosted in China. These add ons reached nearly four million installations, with WeTab alone contributing roughly three million.
In 2023, early indicators of suspicious behavior appeared as developers using names like “nuggetsno15” and “rocket Zhang” uploaded numerous Chrome and Edge extensions disguised as wallpaper or productivity tools. Investigators found that these extensions injected affiliate tags into visits to platforms such as eBay, Booking, and Amazon in order to earn illegal commissions.
By early 2024, the operation escalated from affiliate fraud to direct browser manipulation. The malicious extensions redirected user searches through trovi.com, harvested queries, gathered cookies from selected domains, and adjusted search results for profit.
Koi Security reported that five extensions, including three that had been benign for years, were silently updated in mid 2024. These versions repeatedly contacted the domain “api.extensionplay[.]com” every hour to download a JavaScript payload. The payload monitored browsing activity and transmitted encrypted logs to “api.cleanmasters[.]store,” a server linked to ShadyPanda. Developers embedded heavy obfuscation to hide the operation and programmed the extensions to behave normally when users attempted to open browser developer tools.
Researchers noted that the extensions were also capable of adversary in the middle attacks that enabled credential theft, session hijacking, and insertion of malicious code into any web page.
The activity later transitioned into a final phase where five additional Microsoft Edge extensions published in 2023, including the widely installed WeTab, were leveraged to carry out broad surveillance. These extensions recorded URLs, search behavior, cookies, mouse clicks, scrolling patterns, and overall user interaction with web pages. The WeTab extension remains available for download at the time of reporting.
Koi Security concluded that the campaign unfolded in four phases and gradually transformed functional browser extensions into full scale spyware. Investigators added that it is still unclear whether the high install numbers were genuine or artificially boosted to create a sense of credibility.
Users who installed any of the affected extensions are advised to remove them immediately and update or change their account credentials. Identified extensions include:
- Clean Master: the best Chrome Cache Cleaner
- Speedtest Pro Free Online Internet Speed Test
- BlockSite
- Address bar search engine switcher
- SafeSwift New Tab
- Infinity V+ New Tab
- OneTab Plus Tab Manage & Productivity
- WeTab 新标签页
- Infinity New Tab for Mobile
- Infinity New Tab Pro
- Infinity New Tab
- Dream Afar New Tab
- Download Manager Pro
- Galaxy Theme Wallpaper HD 4k HomePage
- Halo 4K Wallpaper HD HomePage
Koi Security warned that the automatic update feature meant to provide safety became the attackers’ entry point. Silent version updates were delivered through trusted Chrome and Edge channels, turning ordinary tools into hidden monitoring software.
They concluded that ShadyPanda’s long term success stemmed not only from technical capabilities but also from exploiting a critical oversight: extension marketplaces only check submissions at upload time, not the updates that follow.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
