Full Report
A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time. Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, according to a report from Koi Security, attracting 300,000 installs. These extensions have since been taken down. "These
Analysis Summary
# Threat Actor: ShadyPanda
## Attribution & Identity
**Primary Identification:** ShadyPanda
**Known Aliases/Associated Groups:** None explicitly named in the provided text, though the extensions were published under developer names "nuggetsno15" and "rocket Zhang."
**Known Associations:** Associated with a Koi Security report detailing their activities.
## Activity Summary
ShadyPanda is linked to a sustained, seven-year-long campaign involving browser extensions that progressively transitioned from legitimate applications into sophisticated spyware. A significant phase involved five extensions, some operating legitimately for years, being updated in mid-2024 to introduce malicious functionality. These specific extensions attracted around 300,000 installs post-malicious update. Another set of five add-ons, including **WeTab** (3 million installs), was used for mass surveillance. The campaign is described as progressing over four distinct phases.
## Tactics, Techniques & Procedures
- **Initial Phase (Pre-2024):** Publishing extensions (masquerading as wallpaper or productivity apps) and engaging in affiliate fraud by injecting tracking codes on e-commerce/booking sites (eBay, Booking.com, Amazon).
- **Early Malicious Activity (2023):** Search query redirection through `trovi.com` (browser hijacker), search query harvesting, and monetization/manipulation of search results.
- **Escalation (Mid-2024):** Distribution of malicious updates leading to hourly Remote Code Execution (RCE) via JavaScript payload downloads from `api.extensionplay[.]com`.
- **Surveillance/Data Exfiltration:** Monitoring every website visit, exfiltrating encrypted browsing history, complete browser fingerprints, recording search engine queries, and tracking mouse clicks.
- **Defense Evasion:** Using extensive obfuscation. Switching to benign behavior when browser developer tools are accessed.
- **Adversary-in-the-Middle (AitM):** Capabilities implemented to facilitate credential theft and session hijacking via arbitrary code injection into websites.
## Targeting
- **Sectors:** Not explicitly listed by sector, but tactics target general internet users engaging in e-commerce and web searching.
- **Geography:** Data exfiltration servers are reported to be located in **China**.
- **Victims:** Over 4.3 million installations across Chrome Web Store and Microsoft Edge Addons. Specific victims are not named, but users of popular extensions like **WeTab** were heavily targeted.
## Tools & Infrastructure
- **Malware Families Used:** Custom malicious JavaScript payloads delivered via auto-update mechanisms. Extensions themselves acted as the malware delivery system.
- **Infrastructure (C2, Domains, IPs):**
- Payload retrieval domain: `api.extensionplay[.]com` (defanged)
- Exfiltration server domain: `api.cleanmasters[.]store` (defanged)
- Browser Hijacker/Redirection Domain: `trovi.com` (defanged)
## Implications
ShadyPanda ran a highly effective, long-term supply chain attack targeting browser users via legitimate-seeming extensions. The progression from affiliate fraud to comprehensive, remote code execution spyware capable of AitM attacks represents a significant escalation. The fact that some extensions were verified by Google highlights a failure in platform vetting mechanisms, allowing the actor to establish deep trust with users before executing data exfiltration campaigns.
## Mitigations
- Users must immediately remove affected browser extensions.
- Users should rotate credentials associated with the browsers that had the extensions installed as a precaution.
- Security monitoring should focus on outbound traffic from browsers to suspicious domains, especially activity involving hourly or regular fetching of external JavaScript payloads.
- Increased scrutiny on auto-update mechanisms within browser extensions, particularly for applications that previously held high trust ratings or developer verification, should be implemented.