A sophisticated threat group operating under the name ShadyPanda has successfully compromised millions of browser users through a methodical seven-year campaign targeting popular Chrome and Edge extensions.
The attack represents a significant breach of user trust, as the malicious extensions gained verified status from both Google and Microsoft, making them appear legitimate to unsuspecting users.
Over this extended period, ShadyPanda infected 4.3 million devices while remaining largely undetected, demonstrating a patient and evolving approach to browser-based attacks.
The campaign operates in two distinct but interconnected phases. The first involves a remote code execution (RCE) backdoor deployed through five weaponized extensions, including the well-known Clean Master application, which accumulated over 300,000 installations before activation.
.webp "4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign 2")
The second phase comprises a massive spyware operation spanning five additional extensions with over 4 million combined installs, particularly the WeTab New Tab Page extension with 3 million users alone.
This dual-operation structure reveals the threat group’s ability to maintain multiple attack vectors simultaneously while evading detection for extended periods.
Koi security analysts noted and identified that ShadyPanda’s success stems from weaponizing legitimate applications through quiet updates rather than malicious distribution methods.
The group cultivated trust by allowing extensions to operate normally for years, collecting genuine user reviews and building installer counts.
.webp "4.3 Million Chrome and Edge Users Hacked in 7-Year ShadyPanda Malware Campaign 4")
When vulnerable numbers were reached, a single update transformed these trusted tools into surveillance instruments, using Chrome and Edge’s automatic update mechanisms to instantly compromise millions of browsers without user interaction or visibility.
Infection mechanism
The infection mechanism operates with remarkable sophistication through several technical methods. Every infected browser contacts remote servers hourly to retrieve new instructions and execute arbitrary JavaScript code with full browser API access.
This creates a persistent backdoor rather than static malware, enabling the threat group to adapt attacks dynamically.
The malicious payload collects complete browsing histories, search queries, website navigation patterns, and precise mouse click coordinates, all encrypted with AES encryption before transmission to servers in China.
To maintain effectiveness against security researchers, the malware employs advanced evasion techniques.
When developer tools are opened, the extension immediately switches to benign behavior, preventing analysis and discovery.
The code uses heavy obfuscation through shortened variable names and executes through a 158KB JavaScript interpreter to bypass security policies.
Service workers enable man-in-the-middle capabilities, allowing traffic interception and modification of legitimate files, including credential harvesting from HTTPS connections.
The threat landscape now extends beyond individual consumers to enterprise environments. Developer workstations running infected extensions represent entry points to corporate networks, potentially compromising repositories, API keys, and cloud infrastructure access.
Security professionals must immediately audit installed extensions on critical systems and implement behavioral monitoring solutions to detect weaponization patterns that traditional static analysis cannot identify.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
