Threat Research

ShadyPanda Malware Campaign

Securonix
ShadyPanda Malware Campaign

ShadyPanda ran a seven-year browser-extension campaign that weaponized trusted Chrome and Edge extensions to deploy a remote-code-execution backdoor (300K+ users) and a separate 4M+ user spyware operation centered on WeTab. The actor abused featured/verified status and auto-update mechanisms to exfiltrate browsing history, cookies, keystrokes, and full browser fingerprints for real-time surveillance and potential future attacks. #ShadyPanda #CleanMaster

Keypoints

  • Koi Security attributes a seven-year extension campaign to a single threat actor dubbed ShadyPanda, responsible for infecting an estimated 4.3 million Chrome and Edge users.
  • A 300,000-user operation (including Clean Master) was weaponized in mid-2024 to run an hourly RCE backdoor that downloads and executes arbitrary JavaScript with full browser API access.
  • A separate 4-million-user spyware empire (including WeTab with ~3 million installs) collects every URL, search query, mouse click, and browser fingerprint and sends data to multiple servers in China.
  • ShadyPanda exploited marketplace trust signals—Featured/Verified badges and high install counts—plus the browsers’ auto-update mechanism to push malicious updates silently.
  • Malicious behavior includes cookie exfiltration, keystroke-level search capture over unencrypted HTTP, service-worker MITM to intercept/alter traffic, and heavy code obfuscation to evade analysis.
  • Even after removals, the deployed infrastructure and auto-update framework remain on infected browsers, enabling rapid reweaponization for credential theft, session hijacking, or supply-chain attacks.

MITRE Techniques

  • [T1176 ] Browser Extensions – Abuse of marketplace-approved extensions to distribute and persist malicious functionality; quote: ‘Some of ShadyPanda’s extensions were featured and verified by Google, granting instant trust and massive distribution.’
  • [T1059 ] Command and Scripting Interpreter – Execution of arbitrary JavaScript delivered remotely as the payload; quote: ‘Every hour, it checks api.extensionplay[.]com for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access.’
  • [T1071.001 ] Application Layer Protocol: Web Protocols – C2 and data exfiltration over HTTP/HTTPS endpoints and unencrypted HTTP for search capture; quote: ‘All transmitted over unencrypted HTTP connections, making the data easy to intercept and monetize.’
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltration of browsing history, URLs, and fingerprints to attacker-controlled servers; quote: ‘They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.’
  • [T1539 ] Steal Web Session Cookie – Reading and exfiltration of cookies from specific domains to tracking endpoints; quote: ‘Extensions read cookies from specific domains and send tracking data to nossl.dergoodting.com.’
  • [T1027 ] Obfuscated Files or Information – Heavy code obfuscation and use of an embedded JavaScript interpreter to evade detection and bypass CSP; quote: ‘The code uses heavy obfuscation with shortened variable names and executes through a 158KB JavaScript interpreter to bypass Content Security Policy.’
  • [T1557 ] Adversary-in-the-Middle – Service worker capabilities used to intercept and modify network traffic, enabling credential theft and session hijacking even on HTTPS sites; quote: ‘Service worker can intercept and modify network traffic, replace legitimate JavaScript files with malicious versions, enabling credential theft, session hijacking, and content injection into any website – even HTTPS connections.’
  • [T1195 ] Supply Chain Compromise – Abuse of the browser extension auto-update mechanism as an update-based supply-chain vector to weaponize previously legitimate extensions; quote: ‘The auto-update mechanism – designed to keep users secure – became the attack vector.’

Indicators of Compromise

  • [Domains ] C2, exfiltration, and tracking endpoints mentioned in reporting – extensionplay[.]com, dergoodting[.]com, and 5 more domains (yearnnewtab[.]com, api.cgatgpt[.]net, cleanmasters[.]store, s-85283.gotocdn[.]com, s-82923.gotocdn[.]com)
  • [Chrome extension IDs ] Identifiers for malicious/weaponized Chrome extensions – eagiakjmjnblliacokhcalebgnhellfiibiejjpajlflj… (first listed ID), and dozens of additional extension IDs included in the article.
  • [Edge add-on IDs ] Identifiers for malicious/weaponized Edge add-ons – bpelnogcookhocnaokfpoeinibimbeffenkihkf… (first listed ID), and many other Edge add-on IDs listed.
  • [Extension names ] Malicious or surveillance extensions referenced by name – Clean Master, WeTab (WeTab 新标签页), and multiple other extensions across Chrome and Edge marketplaces.

Read more: https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint