ShadyPanda’s Long Campaign
A threat actor called ShadyPanda has operated a seven-year campaign that misused popular browser add-ons. The group used once-trusted tools to collect sensitive data from millions of users. However, the danger grew sharply in mid-2024 when several legitimate extensions received hidden malicious updates.
Researchers reported that five of these add-ons began as harmless utilities. Later, they were modified to run remote code each hour. Therefore, the add-ons downloaded secret scripts and accessed full browser activity without warning.
Hidden Data Monitoring
The malicious scripts monitored every website visit and captured encrypted browsing history. They also collected complete browser fingerprints and sent them to remote servers. However, the extensions switched to harmless behavior whenever users opened developer tools. This trick made analysis more difficult.
Attackers also built trust by promoting one add-on as a verified tool. As a result, many users installed it without suspicion and accepted later updates. These quiet changes allowed the attackers to expand their reach.
Expanding the Surveillance Network
Another group of add-ons from the same publisher tracked every visited link. They also recorded search terms and mouse clicks. Then, they sent the data to servers in another country. These tools reached nearly four million installs, and one single add-on accounted for most of them.
Early hints of danger appeared in 2023. Developers published dozens of wallpaper and productivity extensions. However, these extensions secretly injected tracking codes into retail websites. They used this to gain fraudulent commissions from user purchases.
Shift to Browser Hijacking
In early 2024, the operation became more aggressive. For example, every web search was redirected through a hijacking site. Search queries were logged, monetized, and sold. Therefore, attackers gained even more control over browsing activity.
By mid-2024, several older add-ons received updates that enabled hourly checks to fetch malicious code. This payload monitored visits, gathered fingerprints, and sent encrypted reports to remote servers.
Deep User Tracking
Five additional extensions published in 2023 expanded the final stage of the campaign. They collected URLs, search queries, cookies, mouse clicks, and scrolling behavior. However, one of them remained available for download at the time of reporting.
Researchers noted four phases of this campaign. Each phase slowly transformed harmless add-ons into full surveillance tools. However, it remains unclear whether download counts were artificially inflated.
Recommendations and Safer Practices
Experts urged users to remove the affected extensions immediately and change all credentials. They also warned that the trusted browser update system became a silent delivery channel for malware.
How to Prevent Similar Threats
Users can stay safer by reviewing their installed add-ons regularly and limiting unnecessary permissions. Security services that offer browser-based threat monitoring or automated malicious extension detection can also help identify suspicious behavior early. These solutions provide continuous scanning and alert users before harmful updates cause damage.
Sleep well, we got you covered.
