A persistent malware operation dubbed "ShadyPanda" has infected over 4.3 million users through malicious browser extensions on Google Chrome and Microsoft Edge. The campaign, active since 2018, evolved through multiple phases, starting with seemingly legitimate wallpaper and productivity tools. These extensions initially engaged in affiliate fraud by injecting tracking codes into e-commerce links to generate illicit revenue.
The operation escalated in 2024, with extensions like Infinity V+ hijacking user searches and exfiltrating cookies and search queries. The most dangerous phase involved several older, trusted extensions receiving updates that installed a remote code execution backdoor. This backdoor allowed attackers to download and run arbitrary JavaScript commands on infected browsers every hour, effectively turning them into a controllable malware platform.
While Google has removed the identified extensions from its Web Store, the campaign remains active on the Microsoft Edge Add-ons platform. One extension, "WeTab 新标签页," still lists 3 million installs. The final active phase involves spyware components that collect extensive user data—including browsing history, keystrokes, and mouse clicks—and send it to domains in China. Users are strongly advised to check for and remove these extensions and reset their online account passwords.
Read more...