ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware
Summary:
Koi researchers uncovered a long-running threat actor known as ShadyPanda, responsible for a seven-year browser extension operation impacting 4.3 million Chrome and Edge users. The actor built trust by publishing legitimate extensions for years, several even received Google’s Featured and Verified badges, before silently weaponizing them through routine auto-updates. Two major operations emerged: a 300,000-user RCE backdoor, in which extensions like Clean Master began executing hourly remote JavaScript with full browser access, enabling browsing-history theft, fingerprinting, and anti-analysis evasion; and a still-active 4-million-user spyware network on Microsoft Edge, led by the WeTab extension, which continuously exfiltrates URLs, search queries, clicks, cookie data, and complete interaction telemetry to Chinese infrastructure. Earlier phases show the actor evolving from simple affiliate fraud to search hijacking, cookie theft, and eventually full browser compromise. The campaign highlights how marketplace trust signals and auto-update mechanisms can be systematically abused to convert benign extensions into large-scale surveillance tools.
Security Officer Comments:
ShadyPanda demonstrates a mature, iterative threat model that exploits a structural weakness in modern browser ecosystems: once an extension is approved and gains user trust, ongoing behavior is rarely scrutinized. The actor clearly understands browser-extension economics, install counts, verified badges, silent updates, and weaponizes marketplace incentives against users. The shift from low-level monetization to full RCE shows an actor with long-term planning, patient infrastructure development, and strong operational discipline. Their reliance on legitimate distribution and auto-update pipelines also allows them to bypass most enterprise controls, making these extensions a stealthy foothold inside corporate environments. The active 4-million-user spyware operation on Edge poses a significant ongoing risk because its permissions allow instant escalation to the same RCE framework used in earlier phases. This campaign should be viewed not just as spyware, but as a supply-chain vector capable of credential theft, session hijacking, SaaS compromise, and developer-environment infiltration.
Suggested Corrections:
Organizations should immediately audit all browser extensions in use, especially those with permissions for “all sites,” cookie access, or storage synchronization, and remove any extensions from the identified publishers. Enforce extension allowlists within Chrome Enterprise and Edge Enterprise to prevent unauthorized marketplace installs. Implement behavioral monitoring for abnormal outbound requests from browser processes, including telemetry sent to unknown domains, anomalous service-worker activity, or hourly beaconing. Require developers and privileged users to operate in hardened browser profiles with no third-party extensions. For high-risk environments, disable extension auto-updates and move to controlled update channels. Finally, integrate browser-extension security reviews into existing vendor/supplier risk workflows, treat high-permission extensions as third-party software dependencies subject to continuous monitoring, not one-time approval.
Link(s):
https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
Koi researchers uncovered a long-running threat actor known as ShadyPanda, responsible for a seven-year browser extension operation impacting 4.3 million Chrome and Edge users. The actor built trust by publishing legitimate extensions for years, several even received Google’s Featured and Verified badges, before silently weaponizing them through routine auto-updates. Two major operations emerged: a 300,000-user RCE backdoor, in which extensions like Clean Master began executing hourly remote JavaScript with full browser access, enabling browsing-history theft, fingerprinting, and anti-analysis evasion; and a still-active 4-million-user spyware network on Microsoft Edge, led by the WeTab extension, which continuously exfiltrates URLs, search queries, clicks, cookie data, and complete interaction telemetry to Chinese infrastructure. Earlier phases show the actor evolving from simple affiliate fraud to search hijacking, cookie theft, and eventually full browser compromise. The campaign highlights how marketplace trust signals and auto-update mechanisms can be systematically abused to convert benign extensions into large-scale surveillance tools.
Security Officer Comments:
ShadyPanda demonstrates a mature, iterative threat model that exploits a structural weakness in modern browser ecosystems: once an extension is approved and gains user trust, ongoing behavior is rarely scrutinized. The actor clearly understands browser-extension economics, install counts, verified badges, silent updates, and weaponizes marketplace incentives against users. The shift from low-level monetization to full RCE shows an actor with long-term planning, patient infrastructure development, and strong operational discipline. Their reliance on legitimate distribution and auto-update pipelines also allows them to bypass most enterprise controls, making these extensions a stealthy foothold inside corporate environments. The active 4-million-user spyware operation on Edge poses a significant ongoing risk because its permissions allow instant escalation to the same RCE framework used in earlier phases. This campaign should be viewed not just as spyware, but as a supply-chain vector capable of credential theft, session hijacking, SaaS compromise, and developer-environment infiltration.
Suggested Corrections:
Organizations should immediately audit all browser extensions in use, especially those with permissions for “all sites,” cookie access, or storage synchronization, and remove any extensions from the identified publishers. Enforce extension allowlists within Chrome Enterprise and Edge Enterprise to prevent unauthorized marketplace installs. Implement behavioral monitoring for abnormal outbound requests from browser processes, including telemetry sent to unknown domains, anomalous service-worker activity, or hourly beaconing. Require developers and privileged users to operate in hardened browser profiles with no third-party extensions. For high-risk environments, disable extension auto-updates and move to controlled update channels. Finally, integrate browser-extension security reviews into existing vendor/supplier risk workflows, treat high-permission extensions as third-party software dependencies subject to continuous monitoring, not one-time approval.
Link(s):
https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign