Threat Research

Illuminating ShadyPanda DNS Infrastructure Facts

CircleID
Illuminating ShadyPanda DNS Infrastructure Facts

Koi Security documented a seven-year ShadyPanda campaign that leveraged verified Google Chrome and Edge extensions to build trust, accumulate users, and push silent malicious updates, ultimately impacting an estimated 4.3 million browser users. Their investigation produced six domains and three subdomains as IoCs, identified 105 unique client IPs communicating with IoC domains, 735 email-connected domains (one used for phishing), and multiple malicious IPs such as 104.21.45.44 and 104.21.49.170. #ShadyPanda #gotocdn

Keypoints

  • ShadyPanda ran a long-running (seven-year) campaign that weaponized browser marketplaces by publishing verified Chrome/Edge extensions to gain user trust and push silent malicious updates.
  • Koi Security extracted seven initial IoCs (four domains, three subdomains) and expanded those to six unique domains and three subdomains for further analysis.
  • Network telemetry showed 105 unique client IP addresses under nine ASNs queried four IoC domains across 823 DNS queries between 11 Nov and 10 Dec 2025.
  • WHOIS and DNS history queries revealed domains registered between 2010 and 2023, registrars including GoDaddy, and 661 historical domain-to-IP resolutions across the six domains.
  • DNS and Threat Intelligence queries found seven unique IPs resolved from IoC domains, six of which were associated with malicious activity (e.g., malware distribution, phishing).
  • WHOIS history and Reverse WHOIS expanded the set to 735 email-connected domains; one of those domains was weaponized for phishing between 17 Jul and 2 Dec 2025.

MITRE Techniques

  • No MITRE ATT&CK techniques were explicitly mentioned in the article.

Indicators of Compromise

  • [Domain ] IoCs identified and analyzed – gotocdn[.]com, extensionplay[.]com, dergoodting[.]com, and 3 more domains
  • [Subdomain ] IoCs and suspicious hosts – api[.]cgatgpt[.]net, s-82923[.]gotocdn[.]com, s-85283[.]gotocdn[.]com
  • [IP address ] Resolved/malicious IPs tied to IoC domains – 104[.]21[.]45[.]44, 104[.]21[.]49[.]170, and other IPs (total seven unique IPs; six flagged malicious)
  • [Email-connected domains ] Domains linked via WHOIS email addresses – 735 discovered (one was weaponized for phishing between 17 Jul–2 Dec 2025), example domains not individually named in the article

Read more: https://circleid.com/posts/illuminating-shadypanda-dns-infrastructure-facts

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint