A threat actor known as ShadyPanda, which carried out two cyberthreat operations with a scope of seven years, has been identified by researchers at endpoint security company Koi. The campaigns notably take advantage of browser extensions, which serve as an underestimated attack surface, as they are often able to access sensitive areas and are assumed by users to be secure. Koi Security found that 4.3 million Chrome and Edge users were impacted by two active campaigns leveraging supply chain risks and exploiting user trust in automatic updates.
How ShadyPanda Built a Long-Game Operation
ShadyPanda’s attack tactics played out in multiple phases. They published 145 extensions in total—20 on the Chrome Web Store under the publisher name “nuggetsno15,” and 125 on Microsoft Edge under the publisher name “rocket Zhang.” They began with these benign extensions claiming to be wallpaper and productivity apps in order to accumulate users before weaponizing the software.
The early campaign in 2023 was a simple affiliate fraud operation, where the attackers injected affiliate codes to make hidden commissions when users clicked on sites like eBay, Amazon, and Booking.com. The scale and openness of the extension ecosystem aided in these attacks. There are too many extensions to effectively police, and targets tend to trust extensions that have been installed and positively reviewed by many users.
The Pivot: From Fraud to Surveillance and Control
In 2024, ShadyPanda shifted tactics from passively monetizing user clicks to actively controlling targets’ browsers using the Infinity V+ extension, which is deceptively marketed as a new tab productivity tool. All of the targets’ web searches were redirected through the trovi.com browser hijacker in order to log, monetize, and sell search queries. With this phase, the threat actor achieved cookie harvesting, search input monitoring, and real-time user profiling.
The extensions use cookies from certain domains to send tracking data to nossl.dergoodting.com for data exfiltration and creation of unique identifiers to monitor users’ browsing. This phase transformed the operation from a nuisance to a serious espionage-grade campaign that tracked and stole sensitive user data.
The Most Alarming Phase: Weaponizing Trusted Extensions
The most concerning development in the operation is ShadyPanda flipping five legitimate extensions for malicious uses, including longstanding ones with Featured and Verified status. The marquee example is the Clean Master extension, with years of legitimate operations and more than 200,000 installs. The threat actor achieved this by exploiting the silent update model, pushing a malicious update with which Chrome and Edge automatically infected users.
The update converted legitimate extensions into a remote JavaScript execution framework that runs arbitrary code every hour. The execution of this code with full browser API permissions has startling implications, enabling a backdoor that the threat actor can use as they see fit. The risks of this backdoor access include potential ransomware, credential theft, and corporate espionage down the line.
Enterprise Fallout: The Browser as a Supply-Chain Backdoor
The lengthy operations of ShadyPanda are attacks with widespread consequences. The campaign can enable the threat actor to carry out a wide range of malicious operations on targets’ browsers. Their tactics enable them to hijack sessions, harvest credentials, take over accounts, compromise browser-based authentication processes, and access internal tools, cloud consoles, and SaaS platforms.
Compromising developer workstations can lead to impacts like stolen API keys, repository access, and poisoned dependencies. A malicious browser extension can have far-reaching consequences. It is crucial to accept the uncomfortable truth that browser extensions are effectively supply chains, subject to all of the dangers of supply chain risk.
Why This Campaign Changes the Threat Landscape
The ShadyPanda campaign introduces auto-updating software as an attack vector that is not hypothetical, but already operationalized. The extension vector of attack raises the challenge of policing millions of extensions across multiple ecosystems, while actively fighting against the fundamental trust that users place in browser extension security.
This differs from traditional phishing and client-side malware in that it requires very little from the target to enable the attack—they must simply install a browser extension and use the browser’s auto-update function. “The very auto-update mechanisms designed to keep users safe became the attack vector,” says Randolph Barr, Chief Information Security Officer at Cequence Security, a San Francisco, Calif.-based API security and bot management provider. “Chrome and Edge’s trusted update pipelines silently delivered malware with no phishing, no social engineering, and no user interaction.”
What Needs to Happen Next
To protect against the dangers of this campaign and similar ones that may arise, it is crucial for enterprises to take steps to secure their usage of browser extensions. This includes enforcing user vigilance and verification of sources before installing browser extensions, auditing installed extensions, monitoring updates for ongoing legitimacy, and implementing security solutions that detect suspicious and malicious extensions. Browsers and extensions are not inherently secure, but, on the contrary, should be treated as high-risk application environments.
