Two fake Chrome extensions named “Phantom Shuttle” are deceiving thousands of users by posing as legitimate VPN services while secretly intercepting their web traffic and stealing sensitive login information.
These malicious extensions, active since 2017, have been distributed to over 2,180 users through the Chrome Web Store, where they continue to operate undetected.
The threat actor behind the scheme uses the email theknewone.com@gmail[.]com to publish both extension variants, which function identically despite having different appearances.
Victims are unaware they are running malicious software that monitors all their online activity and continuously sends their credentials to attacker-controlled servers.
The extensions market themselves as “multi-location network speed testing plugins” designed for developers and Chinese trade workers.
Users purchase subscriptions ranging from 9.9 to 95.9 yuan (approximately 1.40 to 13.50 USD) through legitimate payment methods, including Alipay and WeChat Pay.
They receive functional proxy services that appear to work as advertised, performing real latency tests and displaying connection status.
This commercial facade creates a false sense of security while hiding devastating, malicious activity happening in the background.
Socket.dev analysts identified that the extensions execute complete traffic interception through a sophisticated credential injection mechanism.
The extensions automatically intercept every HTTP authentication request across all websites and inject hardcoded proxy credentials (username: topfany, password: 963852wei) without user knowledge.
This allows attackers to redirect all browsing traffic through their own proxy servers, effectively creating a man-in-the-middle attack.
The Authentication Hijacking Mechanism
The malicious code is hidden inside modified JavaScript libraries bundled with the extension, specifically jquery-1.12.2.min.js and scripts.js.
Researchers found that the extensions employ a custom character-index encoding scheme to obfuscate the hardcoded proxy credentials, thereby making them harder to detect during security analysis.
The code registers a listener on chrome.webRequest.onAuthRequired, which intercepts authentication challenges before users see any prompts.
When triggered, the listener automatically responds with the hardcoded credentials using asyncBlocking mode, ensuring the response happens synchronously without giving users any opportunity to intervene.
The extension maintains a 60-second heartbeat to the C2 server at phantomshuttle.space, continuously exfiltrating user data.
During every heartbeat transmission and VIP status check, the extension sends user email addresses and passwords in plaintext to the attacker infrastructure, occurring every five minutes for active users.
The extension remains operational as of December 23, 2025, and Socket.dev has submitted takedown requests to Google’s Chrome Web Store security team.
Users who installed these extensions should immediately uninstall them and change all passwords used in their browsers.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
