Malicious Chrome Extensions “Phantom Shuttle” Masquerade as a VPN to Intercept Traffic and Exfiltrat
Summary:
Socket’s Threat Research Team identified two malicious Chrome extensions called Phantom Shuttle that masquerade as network speed testing and proxy tools for developers and foreign trade personnel. The two extensions, which have been available on the Chrome Web Store since at least 2017, require users to pay subscriptions ranging from $1.40 to $13.50 USD, believing they're purchasing a legitimate VPN service. In reality, both extensions secretly intercept user traffic and route browsing activity through attack-controlled servers while exfiltrating sensitive data to C2 infrastructure. According to researchers, the extensions configure Chrome’s proxy settings to route traffic from over 170 targeted domains through the C2 infrastructure. These domains include developer platforms like GitHub and Docker, cloud services such as AWS, Azure, and Google Cloud, and corporate technology vendors like Cisco, IBM, and VMware. By routing traffic from the domains to C2 infrastructure, actors can capture sensitive data in transit, such as login credentials and session tokens, leading to account compromise and follow-up attacks.
Security Officer Comments:
The extensions perform actual latency tests to proxy servers, display live connection status, and provide selectable proxy modes, all of which closely mirror the functionality of legitimate commercial VPN and network-testing tools. This functional feedback helps reduce user suspicion and retain paying subscribers, which has contributed to the extensions garnering more than 2,180 users at the time of writing. At the same time, the extensions persistently store user credentials, session tokens, and configuration data in Chrome’s local storage. This allows information to remain accessible to the extensions, even if the browser restarts, enabling continuous data exfiltration without requiring repeated user interaction.
Suggested Corrections:
For Users
https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle
Socket’s Threat Research Team identified two malicious Chrome extensions called Phantom Shuttle that masquerade as network speed testing and proxy tools for developers and foreign trade personnel. The two extensions, which have been available on the Chrome Web Store since at least 2017, require users to pay subscriptions ranging from $1.40 to $13.50 USD, believing they're purchasing a legitimate VPN service. In reality, both extensions secretly intercept user traffic and route browsing activity through attack-controlled servers while exfiltrating sensitive data to C2 infrastructure. According to researchers, the extensions configure Chrome’s proxy settings to route traffic from over 170 targeted domains through the C2 infrastructure. These domains include developer platforms like GitHub and Docker, cloud services such as AWS, Azure, and Google Cloud, and corporate technology vendors like Cisco, IBM, and VMware. By routing traffic from the domains to C2 infrastructure, actors can capture sensitive data in transit, such as login credentials and session tokens, leading to account compromise and follow-up attacks.
Security Officer Comments:
The extensions perform actual latency tests to proxy servers, display live connection status, and provide selectable proxy modes, all of which closely mirror the functionality of legitimate commercial VPN and network-testing tools. This functional feedback helps reduce user suspicion and retain paying subscribers, which has contributed to the extensions garnering more than 2,180 users at the time of writing. At the same time, the extensions persistently store user credentials, session tokens, and configuration data in Chrome’s local storage. This allows information to remain accessible to the extensions, even if the browser restarts, enabling continuous data exfiltration without requiring repeated user interaction.
Suggested Corrections:
For Users
- Review permissions before installing any extension, especially VPN or proxy tools
- Avoid extensions requesting webRequestAuthProvider permission
- Check extension file sizes against legitimate library distributions
- Verify proxy configuration changes in Chrome settings
- Audit installed extensions monthly and remove unnecessary ones
- Never reuse credentials across personal and corporate systems
- Deploy extension whitelisting and block dangerous permissions.
- Monitor for extensions with subscription payment systems combined with proxy permissions.
- Flag extensions hardcoding credentials or wallet addresses.
- Implement network monitoring for suspicious proxy authentication attempts.
- Check for trojanized libraries through file size and hash comparison.
- Deploy EDR with browser extension analysis capabilities.
- Watch for domains with long registration histories but minimal legitimate presence.
https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle