ShadyPanda browser extensions amass 4.3M installs in malicious campaign

Recorded: Dec. 1, 2025, 7:02 p.m.

Original

News

Featured
Latest

GreyNoise launches free scanner to check if you're part of a botnet

The Cyber Monday 2025 Cybersecurity, IT, VPN, & Antivirus Deals

Microsoft to secure Entra ID sign-ins from script injection attacks

New ShadowV2 botnet malware used AWS outage as a test opportunity

SmartTube YouTube app for Android TV breached to push malicious update

Microsoft says new Outlook can't open some Excel attachments

Retail giant Coupang data breach impacts 33.7 million customers

When Hackers Wear Suits: Protecting Your Team from Insider Cyber Threats

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Virus Removal Guides

Latest
Most Viewed
Ransomware

Remove the Theonlinesearch.com Search Redirect

Remove the Smartwebfinder.com Search Redirect

How to remove the PBlock+ adware browser extension

Remove the Toksearches.xyz Search Redirect

Remove Security Tool and SecurityTool (Uninstall Guide)

How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo

How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller

How to remove Antivirus 2009 (Uninstall Instructions)

Locky Ransomware Information, Help Guide, and FAQ

CryptoLocker Ransomware Information Guide and FAQ

CryptorBit and HowDecrypt Information Guide and FAQ

CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ

Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Startup Database
Uninstall Database
Glossary
Chat on Discord
Send us a Tip!
Welcome Guide

HomeNewsSecurityShadyPanda browser extensions amass 4.3M installs in malicious campaign

ShadyPanda browser extensions amass 4.3M installs in malicious campaign

By Bill Toulas

December 1, 2025
10:01 AM
0

A long-running malware operation known as "ShadyPanda" has amassed over 4.3 million installations of seemingly legitimate Chrome and Edge browser extensions that evolved into malware.
The operation, discovered by Koi Security, unfolded in distinct phases that gradually introduced additional malicious functionality, turning the browser extension from a legitimate tool into spyware.
The ShadyPanda campaign consists of 145 malicious extensions (20 Chrome and 125 Edge) over the years. While Google has removed them from the Web Store, Koi reports that the campaign remains active on the Microsoft Edge Add-ons platform, with one extension listed as having 3 million installs.
It should be noted that it is unclear if the installations of these extensions have been manually inflated to increase their legitimacy.
The ShadyPanda campaign
While the initial submissions of ShadyPanda extensions occurred in 2018, the first signs of malicious activity were observed in 2023, with a set of extensions posing as wallpaper and productivity tools.
According to Koi researchers, these extensions engaged in affiliate fraud by injecting tracking codes from eBay, Booking.com, and Amazon into legitimate links to generate revenue from users' purchases.
In early 2024, an extension called Infinity V+ began performing search hijacking, indicating that the ShadyPanda operators were becoming bolder.
Koi says the extension redirected search queries to trovi[.]com, exfiltrated users' cookies to dergoodting[.]com, and exfiltrated users' search queries to gotocdn subdomains.
In 2024, five extensions from the set, including three uploaded in 2018 and 2019, which had gained a good reputation in the meantime, were modified to include a "backdoor" delivered via an update that enabled them to perform remote code execution.
"Every infected browser runs a remote code execution framework. Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access," explains Koi Security about the backdoor's functionality.
"This isn't malware with a fixed function. It's a backdoor."

The RCE functionSource: Koi Security
The backdoor also exfiltrates browsing URLs, fingerprinting information, and persistent identifiers to api[.]cleanmasters[.]store, using AES encryption.
A notable extension in this set is Clean Master on the Google Chrome Store, which had 200,000 installs at the time it was detected as malicious. In total, the extensions that carried the same payload had reached 300,000 installs.

The Clean Master extensionSource: Koi Security
The fourth and final phase of the attack, which is the only one still underway, concerns five Microsoft Edge extensions published by 'Starlab Technology' in 2023. Since then, the extensions have accumulated 4 million installs.
According to the researchers, the spyware component in these extensions collects the following data, sending it to 17 domains in China:
Browsing history
Search queries and keystrokes
Mouse clicks with coordinates
Fingerprint data
Local/session storage & cookies

Data stolen from infected devicesSource: Koi Security
Koi Security notes that these extensions also have sufficient permissions to deliver a similar backdoor seen in the Clean Master set via an update. However, no sign of this more malicious activity has been seen at this time.
The researchers told BleepingComputer that they contacted Google and Microsoft about the malicious extensions. While they were later removed from the Google Play Store, at the time of writing, BleepingComputer found "WeTab 新标签页" (3 million users) and "Infinity New Tab (Pro)" (650k users) extensions from the publisher still present on the Microsoft Edge Add-ons store.

Spyware Edge extensionSource: Koi Security
A complete list of all extension IDs linked to the ShadyPanda operation is available at the bottom of Koi Security's report.
Users are recommended to remove them immediately and reset their account passwords across their entire online presence.
BleepingComputer has contacted both Google and Microsoft about Koi Security's findings, and we will add their statements once we receive a response. We have also contacted the known developers of these extensions, but did not receive a response to our email.

Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Get the guide

Related Articles:
Microsoft Edge gets scareware sensor for faster scam detectionItalian spyware vendor linked to Chrome zero-day attacksMozilla: New Firefox extensions must disclose data collection practicesMalicious crypto-stealing VSCode extensions resurface on OpenVSXGoogle fixes new Chrome zero-day flaw exploited in attacks

Backdoor
Browser
Browser Extension
Extensions
Google Chrome
Microsoft Edge
Spyware

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Leak confirms OpenAI is preparing ads on ChatGPT for public roll out

Microsoft: Windows updates make password login option invisible

Public GitLab repositories exposed more than 17,000 secrets

Sponsor Posts

Hackers love the holidays! Share FREE Security Awareness Training to keep family & friends cyber-safe!

Overdue a password health-check? Audit your Active Directory for free

Review of Passwork: Affordable Enterprise-Grade Password Manager

Upcoming Webinar

Main Sections

News
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Here’s a detailed summary of the BleepingComputer article regarding the ShadyPanda browser extension campaign:

The article details a long-running and sophisticated malware campaign, dubbed “ShadyPanda,” that leveraged seemingly legitimate browser extensions to amass over 4.3 million installs. Led by Koi Security, the operation unfolded in distinct phases, transitioning from affiliate fraud to full-blown spyware deployment.

**Initial Phase (2018-2023): Affiliate Fraud**
The campaign began in 2018 with the deployment of 145 malicious extensions—20 for Chrome and 125 for Edge. These extensions initially operated as wallpaper and productivity tools. A key tactic involved injecting tracking codes from prominent e-commerce sites—eBay, Booking.com, and Amazon—into legitimate links. This enabled the ShadyPanda operators to generate revenue through affiliate fraud, receiving a commission for every purchase made through these redirected links.

**Expanding Malicious Activity (2023-2024): Search Hijacking & Remote Code Execution**
The campaign evolved significantly in early 2024 with the introduction of “Infinity V+,” which engaged in search hijacking. This extension redirected users' search queries to trovi.com. Furthermore, it exfiltrated users’ cookies to dergoodting.com and search queries to gotocdn subdomains, demonstrating a growing intent to collect and utilize user data.

**Remote Code Execution (RCE) Backdoor (2024)**
A critical escalation occurred when five extensions – including three from 2018 and 2019 that had gained a reputation – were modified to include a “backdoor” delivered via an update. This backdoor enabled remote code execution (RCE). Every infected browser ran a framework that, hourly, checked api.extensionplay.com for new instructions, downloaded JavaScript, and executed it with full browser API access. This constituted a persistent, adaptable backdoor, rather than a fixed malware function.

**Data Exfiltration & Surveillance (Ongoing)**
The RCE framework exfiltrated browsing URLs, fingerprinting information, and persistent identifiers to api.cleanmasters.store, using AES encryption. Later extensions actively collected substantial data, including browsing history, search queries and keystrokes, mouse clicks with coordinates, and fingerprint data utilizing local/session storage and cookies, sending it to 17 domains in China.

**Affected Extensions & Current Status:** The “Clean Master” extension (200,000 installs on Chrome) exemplifies the potential reach of the campaign. Despite the initial widespread impact, the operators have since transitioned to an ongoing, stealthier operation. Currently, "WeTab 新标签页" (3 million users) and "Infinity New Tab (Pro)" (650k users) remain active Edge extensions from the "Starlab Technology" publisher. Koi Security reports that the functionality similar to the “Clean Master” extension, remains present – suggesting an ongoing data collection and exploitation effort.

**Extent of the Campaign and Response:** Koi Security has identified and provided a comprehensive list of all extension IDs linked to the ShadyPanda operation. Google and Microsoft have removed the affected extensions from their respective stores, but some remain active on the Microsoft Edge Add-ons platform. The article encourages immediate removal and password resets across all online accounts.

**Key Takeaways:** The ShadyPanda campaign underscores the evolving tactics of cybercriminals, particularly the slow transition from more obvious affiliate fraud to sophisticated spyware deployment that employs persistent backdoors and data exfiltration techniques. This highlights the importance of ongoing vigilance and proactive security measures, including regular monitoring of browser extensions and diligent adherence to security best practices.