ShadyPanda Spyware Campaign: 4.3 Million Chrome and Edge Extensions Compromised

A sprawling, seven‑year campaign that quietly converted trusted Chrome and Edge extensions into full‑blown spyware has been revealed — and the fallout touches millions of users who never suspected their productivity or wallpaper add‑ons were silently watching them.

Background / Overview​

Security researchers at Koi Security uncovered what they call the “ShadyPanda” campaign: a multi‑stage operation that first published benign extensions, built trust and install bases over years, then pushed malicious updates that converted those extensions into surveillance and remote‑code‑execution platforms. The consolidated impact reported by investigators is substantial: roughly 4.3 million installs across Chrome and Edge, including WeTab (reported at about 3 million installs on Edge) and a Clean Master extension family (hundreds of thousands of installs). These findings and the scale of the operation have been independently reported by multiple outlets and regional CERTs. This is not the usual “scam extension” that injects ads or takes over a new‑tab page. According to the technical analysis, the compromised extensions gathered complete browsing histories, every visited URL, search queries, mouse click coordinates, cookies and local storage, and full browser fingerprint data. In some cases the extensions contained a backdoor that polled a command server hourly, downloaded arbitrary JavaScript, and executed it with full extension privileges — effectively giving an attacker live, programmable access to the browser. Key telemetry shows persistent identifiers stored in synced extension storage that can follow users across devices unless explicitly cleared. Multiple browser stores removed the flagged extensions after disclosure. Google confirmed the malicious extensions are no longer available on the Chrome Web Store; Microsoft removed the offending items from the Edge Add‑ons catalog. However, removal from the store does not remotely uninstall them from already‑infected browsers — the active infections remain until the user takes remediation steps.

---

How the campaign worked: a technical breakdown​

The “sleeper” strategy​

ShadyPanda used a classic supply‑chain style pattern: publish clean, useful extensions; accumulate installs and positive signals (Featured/Verified status, good reviews); then issue an update that changes behavior. Because automatic updates are core to the extension experience, users received the malicious code without being asked to re‑approve anything. This delayed‑activation approach allowed the operation to scale without immediate suspicion.

Two distinct operational phases​

Koi’s analysis and corroborating reports document at least two active operations in the campaign:

• A smaller but highly dangerous RCE (remote code execution) backdoor operation affecting roughly 300,000 users across several extensions (including variants of Clean Master). These extensions polled a C2 (command‑and‑control) server hourly, downloaded new JavaScript payloads, and executed them with full browser APIs — enabling arbitrary actions from search hijacking to credential theft.
• A far larger spyware collection operation affecting ~4 million users via a set of Edge and Chrome extensions (notably WeTab). This operation focused on mass data exfiltration: history, URLs, search queries, clicks, HTTP referrer chains, cookies/local storage and fingerprinting. The campaign transmitted that data to attacker‑controlled domains.

What the malicious code could do​

The payload capabilities reported by researchers include:

• Full browsing surveillance: every URL and timestamp, search query text, and navigational referrers.
• Keystroke and click logging: capturing typed searches and mouse coordinates on pages.
• Cookie and localStorage scraping: exposing session tokens and other web state.
• Persistent cross‑device identifiers: storing UUIDs in chrome.storage.sync so a user’s profile could be tracked across devices and reinstall cycles.
• Arbitrary script execution via an hourly polling backdoor that could be repurposed for additional attacks (credential theft, redirect injection, fraud).

Where multiple sources report the same behaviours, the overlap of code artifacts, domains, timing and infrastructure adds confidence to the core claims; however, some attribution elements (e.g., assertions about nation‑state involvement or precise ownership of backend infrastructure) are less concrete and should be treated with caution unless direct forensic links or intelligence disclosures are published.

---

Scope and scale: which extensions and how many users​

The most eye‑catching numbers are:

• 4.3 million combined installs of compromised items on Chrome and Edge (reported by Koi and repeated by multiple outlets).
• WeTab family: reported at about 3 million installs, primarily across Edge but also on Chromium‑based stores.
• Clean Master family: reported with several hundred thousand installs, and specifically called out as having been “Featured/Verified” in earlier years before the malicious update. Clean Master variants were implicated in the RCE backdoor cluster (~300k affected across the five extensions).

Multiple independent industry reports duplicate those figures; while numbers reported by third‑party media sometimes vary by tens of thousands (a normal variance across telemetry and timing), the overall scale — millions of affected installs — is consistently supported across Koi’s writeup and independent coverage. Caveat: public install counts are coarse metrics — they reflect store install tallies which can include inactive profiles and multi‑device sync installs. They also do not directly equate to the number of actively compromised profiles that had the malicious update applied and data exfiltrated. Still, they are a meaningful industry metric for scale and reach.

---

Vendor responses and removal actions​

• Google has stated that the malicious extensions are no longer present in the Chrome Web Store. Google’s review policies and store enforcement mechanisms were engaged after disclosure.
• Microsoft removed the flagged extensions from the Edge Add‑ons store after Koi’s disclosure; Microsoft also reiterated that removal from the store doesn’t uninstall extensions already loaded in user profiles.

Important operational note: store takedown ≠ user remediation. An extension fetched and updated earlier remains installed and operational until the user uninstalls it (or until a browser‑level blocklist is pushed and applied to that profile). This is why immediate user action remains necessary even after public takedown notices.

---

What you should do right now — a practical, prioritized checklist​

The following remediation steps combine vendor guidance, Koi’s technical notes, and broad security best practices reported by multiple sources. Prioritize them in order if you have limited time.

• Immediately check your browser extensions (Chrome, Edge and any Chromium forks). Look for anything published by "Starlab Technology", or extensions named WeTab, Clean Master, Infinity V+, Infinity New Tab (Pro), or any extension you do not recognise. Remove (uninstall) suspicious items.
• Update your browser to the latest version. Recent builds can apply additional security checks and may push vendor blocklists that disable known‑bad extensions. After updating, revisit your extension list in case automatic protections neutralized any component.
• Clear synced extension data and any synced storage that may hold persistent identifiers: after uninstalling the malicious extension, clear chrome/edge sync data (clear extension data in your account sync settings) to remove UUIDs stored in chrome.storage.sync that can follow you across devices. This requires signing into your account and clearing synced data from the browser’s sync settings.
• Rotate passwords and re‑issue sensitive tokens. Assume that active sessions and stored cookies may have been exfiltrated — prioritize email, banking, password managers and any accounts with financial or recurring access. Where possible, use password managers and enable strong MFA (preferably hardware or app‑based one‑time passwords).
• Run a reputable anti‑malware scan and endpoint detection (Windows Defender/third‑party EDR) to detect any post‑exploit artifacts. While the extensions run in the browser sandbox and may not drop native malware, complementary endpoint checks can catch related artifacts or credential misuse.
• For tech‑savvy users: create a fresh browser profile (or fresh user account) and re‑enable only the extensions you explicitly trust. Disable extension sync until you’re confident the new profile is clean. Consider resetting the browser to defaults if you see persistent unusual behaviors.
• If you manage an enterprise environment, use GPO/Intune/MDM controls to block unapproved extensions, push extension allowlists, and audit installed extensions across managed devices. Treat “extensions with broad host permissions” as high‑risk.

---

How to verify if you were actually targeted​

• Check extension permissions and the publisher name in chrome://extensions or edge://extensions. If the publisher matches Starlab Technology, WeTab Team, or other suspicious publishers called out in the advisories, assume compromise until proven otherwise.
• Inspect sent network traffic (advanced): use browser developer tools or a network proxy (Fiddler, mitmproxy) on a controlled profile to see if an extension is calling out to unknown domains (watch for frequent hourly connections or encrypted POSTs). This requires experience and should be done in isolation from production profiles.
• Check for unexpected cookies, new localStorage keys, or unusual entries in extension storage (chrome.storage.sync) that look like UUIDs or persistent IDs.

Flag: network and forensic checks are powerful but can be tricky; if you’re unsure, prioritize uninstalling suspect extensions and rotating credentials rather than attempting risky self‑diagnostics on a production machine.

---

Why automatic updates and store trust failed here​

The incident exposes several systemic weaknesses that threat actors can exploit:

• Trust accumulation: Verified/Featured status and long‑running clean behavior create reputation capital that attackers can weaponize later.
• Update pipeline as an attack vector: Extension auto‑update mechanisms are essential for security patching, but they also allow a malicious actor who controls the publisher account or an update channel to silently change functionality and push malware to an existing user base.
• Insufficient post‑update inspection: Store review processes often focus on initial submission; subsequent updates may receive less scrutiny or be evaluated with less context. This gap can allow staged malicious code to slip through until post‑publication detection triggers removal.
• Cross‑device sync as persistence: Storing identifiers in chrome.storage.sync makes tracking persistent and harder to purge automatically; clearing local extension code is not enough unless sync data is also wiped.

These are engineering and policy problems that browser vendors can and must address, but users are the near‑term front line of defense.

---

Broader implications and risks​

• The presence of a programmable backdoor in a widely deployed extension is chilling: it enables the attacker to change tactics on the fly. Today’s exfiltration could be tomorrow’s credential steal or targeted ransomware pivot. Because the backdoor can execute arbitrary JavaScript with browser privileges, the attack surface is very broad.
• Privacy erosion at scale: data sets collected (full history, search text, cookies) are extremely valuable for profiling, targeted fraud, or tracking. Combining browsing history with persistent IDs produces a rich, long‑lived profile of online behavior.
• Supply‑chain trust erosion: users and enterprises may grow wary of third‑party extensions, but functionality trade‑offs are real — many productivity gains hinge on trusted extensions. The incident should push vendors toward more robust guarantees and secondary verification mechanisms.

Caveat on attribution: while Koi and reporting referenced domains and infrastructure hosted in certain geographies, public forensic disclosure stops short of naming an identified actor with high certainty beyond the researcher label “ShadyPanda.” Treat geopolitical implications and direct attributions as provisional without further corroborating intelligence disclosures.

---

Strengths in the research and gaps to watch​

What’s strong:

• The technical detail in Koi’s report — including code artefacts, C2 patterns and storage‑mechanism analysis — provides a compelling, reproducible basis for the claims. Independent reporting across security outlets reproduces the core findings and install estimates, which strengthens confidence.
• Vendor takedowns occurred quickly once public disclosure happened, showing that reporting and store enforcement can still be effective at removing malicious ecosystem entries.

Remaining uncertainties / risk areas:

• Exact user impact (how many truly active profiles had exfiltration) will likely remain fuzzy unless vendors or independent telemetry teams publish cleaned incident counts. Public install figures are a proxy, not an exact count of compromised users.
• Attribution to a specific actor or sponsor remains researcher‑level and should be interpreted as an operational label until more definitive evidence is made public.
• There may be additional infected extensions or related infrastructure that remained undisclosed at the time of initial reporting; this kind of campaign often has a tail of related indicators that surface later. Users and enterprises should remain vigilant.

---

Enterprise guidance: mitigate through policy and monitoring​

• Enforce an allowlist of approved extensions and block external extension stores via policy. Use MDM or GPO to centrally control allowed items.
• Disable extension sync on managed profiles or restrict sync to enterprise‑approved stores and extensions.
• Instrument browser telemetry: log extension install/remove events and outgoing DNS/HTTP patterns to detect unusual periodic polling or data exfiltration.
• Educate users: require re‑verification of commonly used productivity extensions, and instruct users to remove any extension not explicitly approved by IT.

---

Conclusion​

This incident is a stark reminder that the convenience of automatic updates and the apparent trust of store badges can be weaponized. The technical sophistication — long‑term quiet operation, staged malicious updates, cross‑device tracking via synced UUIDs and programmable backdoors — elevates the event from “annoying adware” to a strategic privacy and security failure with millions of users affected.
Immediate user action (uninstall suspect extensions, update browsers, clear sync data, rotate credentials) will materially reduce exposure. At the same time, browser vendors and enterprise administrators must harden store review, post‑update scanning and extension governance to prevent future campaigns that exploit the very mechanisms designed to keep software safe.
Remain skeptical of extensions asking for broad access, favor minimal permission models, and treat extension sync as a persistence vector — the next browser‑based supply‑chain attack will likely reuse the same playbook unless both users and platforms close these loopholes.

---

Source: Windows Central https://www.windowscentral.com/micr...alware-scheme-extensions-turned-into-spyware/