business resources
ShadyPanda: A Seven-Year Browser Extension Campaign Exposes the Dangers of Trusted Updates
ShadyPanda, a threat actor, ran a seven-year browser extension campaign infecting 4.3 million Chrome and Edge users. Initially legitimate, extensions were weaponized via silent updates into spyware and RCE platforms, collecting browsing history, search queries, and cookies. The attack highlights the vulnerabilities in trusted update systems, urging organisations to adopt zero-trust security practices to mitigate risks.
A recent investigation has unveiled a dangerous seven-year cyber espionage campaign orchestrated by a threat actor known as ShadyPanda. This actor exploited browser extension marketplaces, affecting over 4.3 million users of Google Chrome and Microsoft Edge.
The extensions, initially appearing as legitimate productivity and utility tools, were quietly weaponized via automatic updates, transforming them into spyware and remote code execution (RCE) platforms. As a result, sensitive data, including browsing history, search queries, and login credentials, has been exfiltrated, leaving individuals and organisations vulnerable to attack.
As Diane Downie, Senior Software Architect at Black Duck, explains, "Malicious code poses a real challenge since it closely resembles legitimate code, leveraging the same convenience features but with bad intent."
The Rise of ShadyPanda: A Timeline of Exploits
ShadyPanda's operations began in 2018, with the actor initially leveraging extensions disguised as harmless apps like wallpapers or productivity tools. Over time, the tactics grew more sophisticated, with the threat actor learning how to manipulate browser marketplaces to distribute their malicious payloads. The extensions, some of which were even "Featured" and "Verified" by Google, accumulated millions of downloads, building trust and ensuring widespread distribution before the malware could be activated.
Phase One: The Affiliate Fraud Scheme
ShadyPanda's first major campaign, which took place in 2023, involved a total of 145 extensions across both the Chrome Web Store and Microsoft Edge. These extensions, masquerading as wallpaper or utility apps, secretly injected affiliate tracking codes when users visited sites like eBay, Amazon, or Booking.com. The malware generated hidden commissions for every purchase made via these links, while also collecting data on every website visit, search query, and click pattern. The malicious extensions also deployed Google Analytics to monetise browsing data, providing ShadyPanda with a steady stream of income.
While this phase wasn’t particularly sophisticated, it taught ShadyPanda several valuable lessons:
- Trust in Popular Extensions: Extensions with high install counts and positive reviews are trusted by users, regardless of ongoing behaviour.
- Patience Pays Off: Some extensions operated undetected for months, accumulating a large user base before the malicious code was activated.
- Chrome's Review Process: Google’s review process focused on initial submissions, leaving room for ongoing malicious behaviour once extensions were approved.
Phase Two: The Search Hijacking Evolution
In early 2024, ShadyPanda's tactics became bolder and more intrusive. Extensions like Infinity V+, masquerading as new tab productivity tools, began hijacking core browser functionalities. Users’ search queries were redirected to a known browser hijacker, trovi.com, allowing ShadyPanda to monetise and manipulate search results for profit. Additionally, the extensions harvested cookies from specific websites, enabling ShadyPanda to track users’ browsing activity without their consent.
More worryingly, the extensions were capable of capturing partial search queries, typos, and corrections, essentially profiling users in real-time. The data was transmitted over unencrypted HTTP connections, making it easy to intercept and exploit.
Phase Three: Weaponizing Trust with Silent Updates
In mid-2024, ShadyPanda launched a far more sophisticated operation. Five extensions, including the widely installed Clean Master, had been operating legitimately for years, accumulating hundreds of thousands of installs and achieving "Featured" and "Verified" status on the Chrome Web Store. This trust allowed ShadyPanda to push a malicious update, turning the trusted extensions into full-scale malware platforms.
These extensions began running hourly remote code execution (RCE) checks, downloading and executing arbitrary JavaScript with full browser access. The malware would silently monitor all browser activity, exfiltrate encrypted data, and allow ShadyPanda to control the infected browsers at will.
Phase Four: The Spyware Empire
The most alarming aspect of ShadyPanda’s campaign is the ongoing operation targeting over 4 million users through five additional extensions. The flagship extension, WeTab, masquerading as a productivity tool, has amassed over 3 million installs alone. This extension collects and transmits a vast amount of personal data, including browsing history, search queries, mouse clicks, and browser fingerprints, to servers in China.
Unlike the previous phase, which saw extensions removed from the marketplace after being discovered, these five extensions are still live on Microsoft Edge. The malware is capable of silently pushing updates to infected browsers, meaning ShadyPanda can continuously weaponize over 4 million users’ systems at any given time.
The Dangers of the Silent Update Mechanism
The key danger in ShadyPanda's campaign lies in the weaponisation of the auto-update feature used by browsers like Chrome and Edge. While designed to keep users secure, this mechanism was used by ShadyPanda to silently distribute malicious updates to millions of unsuspecting users. Once the extensions were trusted, the updates allowed ShadyPanda to silently collect browsing data, perform remote code execution, and even hijack sessions.
The malware’s ability to remain undetected for years is a testament to the security flaws in browser extension marketplaces, which primarily focus on initial submission reviews but fail to monitor extensions' ongoing activity.
A Wake-Up Call for Organisations: The Zero-Trust Approach
This incident serves as a stark reminder for organisations to adopt a zero-trust security posture. As ShadyPanda has demonstrated, relying solely on traditional security measures like trust in verified extensions is insufficient. To mitigate the risk of falling victim to such attacks, organisations must continuously monitor the behaviour of all software and extensions, applying robust security frameworks to detect anomalies.
Downie further emphasises the importance of this approach: "The industry cannot let its guard down, as bad actors have strong incentives to play the long game in a landscape where almost everything is software-enabled. The ShadyPanda incident shows just how far those bad actors are willing to go. As this level of sophistication becomes the new normal, organisations need to adopt a serious zero-trust posture across their systems."
