4.3 million people infected with malware through stealthy browser extensions, here is a list of Chrome and Edge extensions affected by ShadyPanda's 7-year attack
It was discovered that a total of approximately 4.3 million users were infected with malware by disguising it as a normal extension to gain popularity and then suddenly pushing malicious code. Users' sensitive data, such as search queries, browsing history, and page visit history, was stolen and sent to servers in China.
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog
An investigation by the security company Koi Security has revealed the existence of an attacker who had been hiding for seven years and had been attacking users, as well as the attack methods used. Koi Security has named the attacker 'ShadyPanda' and made the methods public.
ShadyPanda carried out a backdoor attack targeting 300,000 users and a spyware campaign targeting 4 million users.
ShadyPanda's first attack was simple yet large-scale, deployed in 2023. It involved 145 extensions for Chrome and Edge disguised as wallpapers and productivity apps that secretly inserted affiliate codes every time a user clicked on eBay, Amazon, or Booking.com.
In 2024, ShadyPanda's attacks became even bolder, switching to active attacks, recording all of the searches and visit histories of users and selling them to third parties. Furthermore, they also collected every keystroke entered by users in the search box, revealing intimate details of users' typing that cannot be revealed by simple search queries alone.
Extensions that perform the above attacks are frequently exposed and sometimes removed from stores within weeks or even months of their release. Perhaps anticipating this, ShadyPanda has developed a longer-term strategy.
ShadyPanda quietly cultivated a total of five major extensions, including three released between 2018 and 2019. One of these was a seemingly normal extension called '
In mid-2024, ShadyPanda released updates that injected malicious code into five major extensions. All five extensions ran the same malware, which caused all infected browsers to download and execute arbitrary JavaScript. This wasn't malware with specific functionality, but rather a backdoor whose behavior changed depending on the attacker's intent: today it could be surveillance, tomorrow it could be ransomware, and the day after that it could be credential theft.
At the time of reporting, the malware monitors all website visits, collecting the URLs visited by users, browser fingerprints, user agents, etc., encrypting the data and sending it to ShadyPanda's servers. The code of these extensions is obfuscated, and if you try to inspect it with developer tools, it will detect it and switch to a harmless behavior, cleverly hiding the attack.
ShadyPanda's most significant attack was carried out through extensions developed for Edge. Under the developer name Starlab Technology, ShadyPanda released five additional extensions around 2023, achieving a total of over 4 million installations. They then injected malicious code into these extensions and weaponized them. One particularly popular extension, '
Koi Security explains that the reason these extensions are overlooked by the store is that the store only scrutinizes extensions when they are first submitted, and does not monitor them on an ongoing basis.
You can find the affected extensions on the following page:
Untitled - Pastebin.com
https://pastebin.com/eXb9GRjK
Related Posts:
