Back

ShadyPanda's 7-Year Browser Extension Campaign Infects Millions

A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations. Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, attracting 300,000 installs. These extensions have since been taken down. They now run hourly remote code execution, monitoring every website visit, exfiltrating encrypted browsing history, and collecting complete browser fingerprints. One of the extensions, Clean Master, was featured and verified by Google, allowing the attackers to expand their user base and silently issue malicious updates years later without attracting any suspicion. Another set of five add-ons from the same publisher is designed to keep tabs on every URL visited by its users, as well as record search engine queries and mouse clicks, and transmit the information to servers in a country. These extensions have been installed about four million times, with WeTab alone accounting for three million installs.

Latest mentioned: 12-01
Earliest mentioned: 12-01

Sources

koi.aikoi.aithehackernews.comtheregister.combleepingcomputer.com

Also Read

Sophisticated Malware Campaign Deploys ValleyRat via Trojanized Installers

Researchers have uncovered a sophisticated malware campaign where threat actors weaponize trojanized installers for popular productivity applications to deploy ValleyRat, a persistent remote access tool. The operation demonstrates advanced evasion techniques, including kernel-level driver abuse, endpoint security tampering, and multi-stage obfuscation designed to evade detection and establish long-term system compromise. The campaign has been attributed to an advanced persistent threat (APT) group active since at least 2022. The threat actors repurpose legitimate installer files for Telegram, WinSCP, Google Chrome, and Microsoft Teams applications that users regularly download and trust. Upon execution, victims observe a standard installation interface while malware silently stages payloads, deploys kernel drivers, turns off security defenses, and launches a ValleyRat beacon that grants adversaries persistent remote access.

12-02Read more →