4.3M Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
9 days ago
- #browser-extensions
- #cybersecurity
- #malware
- ShadyPanda, a threat actor, has been running a seven-year browser extension campaign infecting 4.3 million Chrome and Edge users.
- Two active operations identified: a 300,000-user RCE backdoor and a 4-million-user spyware operation.
- Extensions like Clean Master and WeTab were weaponized after years of legitimate operation, collecting browsing history, search queries, and mouse clicks.
- ShadyPanda's strategy involved building trust with legitimate extensions before weaponizing them via silent updates.
- Four phases of operation: Wallpaper Hustle (affiliate fraud), Search Hijacking, The Long Game (trust-building), and Spyware Empire (mass surveillance).
- Extensions bypassed marketplace reviews by appearing legitimate initially, then updating maliciously.
- Remote code execution allowed hourly updates, enabling surveillance, credential theft, or ransomware.
- Complete browser surveillance included URL tracking, HTTP referrers, timestamps, UUID4 identifiers, and browser fingerprints.
- Evasion techniques included anti-analysis measures and man-in-the-middle capabilities.
- Microsoft Edge marketplace still hosts active ShadyPanda extensions with 4 million users.
- Systemic issue: Marketplaces review extensions at submission but lack ongoing monitoring.
- ShadyPanda exploited trust in auto-update mechanisms to deliver malware silently.
- Koi Security highlights the need for behavioral analysis to catch evolving threats post-approval.