ShadyPanda Spyware Hacked 4.3 Million Users by Weaponizing Trusted Browser Extensions via Auto-Updates
Ddos 
A massive, long-running cyber-espionage campaign has been discovered operating in plain sight within the official Chrome and Edge extension stores. Dubbed “ShadyPanda” by Koi researchers, the threat actor has infected over 4.3 million users by weaponizing trusted browser extensions to surveil, track, and potentially compromise victims globally.
Unlike typical malware authors who burn their tools quickly, ShadyPanda played a patient game. The group uploaded legitimate extensions as early as 2018, meticulously building a user base and earning “Featured” and “Verified” badges from Google to establish credibility.
The strategy was simple but devastating: “build trust, accumulate users, and strike through silent updates.” After years of benign operation, the extensions were weaponized in mid-2024 via automatic updates, instantly transforming helpful tools into surveillance platforms.
One of the most notable compromised extensions was “Clean Master,” a cache cleaner with over 200,000 installs that was trusted by thousands of users before it began executing malicious code.
For 300,000 users, the infection went beyond simple tracking. ShadyPanda deployed a sophisticated Remote Code Execution (RCE) backdoor. “These extensions now run hourly remote code execution – downloading and executing arbitrary JavaScript with full browser access.”
This mechanism allowed the attackers to push any payload they wanted, effectively turning the browser into a botnet node. The malware was capable of:
- Monitoring every website visit.
- Exfiltrating encrypted browsing history.
- Collecting complete browser fingerprints.
While the RCE extensions have been removed from the Chrome Web Store, a larger, more insidious operation remains active. Researchers identified a “4-million-user spyware operation” centered around extensions on the Microsoft Edge marketplace.
The flagship of this operation is “WeTab” (WeTab New Tab Page), a productivity tool with over 3 million installs. Unlike standard extensions, WeTab reportedly functions as a surveillance tool, collecting:
- Every URL visited.
- Search queries.
- Mouse click patterns.
This sensitive data is then transmitted to servers in China. Because these extensions are still live on the Edge marketplace, millions of users remain at risk of active surveillance.
The success of ShadyPanda highlights a critical flaw in how browser marketplaces handle security. “Chrome’s review process focused on initial submission, not ongoing behavior,” allowing the actor to bypass defenses by updating code after approval.
For seven years, ShadyPanda exploited this “trust gap,” proving that the “auto-update mechanism – designed to keep users secure – became the attack vector.”
ShadyPanda’s campaign is a wake-up call for the browser ecosystem. By leveraging the reputation of “verified” extensions, the group has successfully compromised millions of devices. As the report concludes, “The systemic problem isn’t just one malicious actor. It’s that the security model incentivizes this behavior.”
Donate