‘Sleeper’ malware campaign ShadyPanda infects 4.3 Million Chrome and Edge Users

A massive “sleeper” malware campaign has infected over 4.3 million users through seemingly legitimate browser extensions.

The operation, dubbed “ShadyPanda” by Koi Security researchers, successfully weaponized 145 extensions across Google Chrome and Microsoft Edge.

These apps, often posing as simple wallpaper or productivity tools, gained user trust over seven years before secretly turning into sophisticated spyware.

The core strategy, it seems, was to play the long game. Extensions first published as far back as 2018 were quietly updated to include malicious code.

This exploited the trust mechanism of the browsers’ official stores, using the auto-update function to silently deliver malware.

The attacks escalated in distinct phases. Initially, in 2023, the extensions engaged in affiliate fraud, injecting tracking codes into links for major sites like Amazon and eBay to secretly steal commission on user purchases.

The threat quickly intensified to serious espionage. Later updates turned some extensions, such as the popular “Clean Master,” into a Remote Code Execution (RCE) backdoor.

The RCE function actively monitored every website visit, exfiltrating encrypted browsing history and capturing complete browser fingerprints. The final phase saw other extensions function as pure spyware, collecting sensitive data such as search queries, mouse clicks with coordinates, and cookies.

While Google removed the identified extensions from its store, some, like the ‘WeTab’ extension with three million installs, remained on the Microsoft Edge platform for a time, though Microsoft has since confirmed all identified malicious extensions were removed.

Users who have installed any large number of extensions are urged to take immediate action. They must remove any unrecognized extensions, reset their browser profiles, and immediately rotate all account passwords for sensitive accounts accessed while the malware was present.

To check the full list of malicious extensions, make sure to read Koi Security’s full report here.

Bleeping Computer