Executive Summary

A coordinated campaign, identified as Operation RedDirection, has compromised over 2.3 million users through 18 malicious browser extensions distributed via the official Google Chrome and Microsoft Edge web stores. These extensions, initially benign and widely trusted due to positive reviews and verified badges, were later weaponized through malicious updates. Once activated, the extensions tracked users’ browsing activity, communicated with attacker-controlled command and control (C2) servers, and in some cases redirected users to phishing or malware sites. The campaign demonstrates a critical supply-chain vulnerability in browser extension ecosystems, affecting both individual and enterprise users. Most of the identified extensions have been removed from official stores as of July 9, 2025, but some may still be available through third-party sources. Immediate action is required to mitigate ongoing risks, including extension removal, browser data clearance, and system scanning. All findings in this report are based on corroborated evidence from Malwarebytes, Forbes, and TechRadar, with all major claims supported by direct technical artifacts and primary source analysis.

Technical Information

The Operation RedDirection campaign exploited the trust inherent in browser extension ecosystems by leveraging the official Chrome Web Store and Microsoft Edge Add-ons store to distribute 18 extensions that were initially legitimate. These extensions, such as Emoji keyboard online, Free Weather Forecast, Unlock Discord, Dark Theme, and Volume Max for Chrome, and Unlock TikTok, Volume Booster, Web Sound Equalizer, and SearchGPT for Edge, provided real functionality and accumulated hundreds of thousands of installs and positive reviews (Malwarebytes, Forbes, TechRadar).

At an undetermined point, attackers introduced malicious code via extension updates, transforming these trusted add-ons into "sleeper agents." This supply-chain compromise allowed the extensions to remain undetected for extended periods, as their initial versions were clean and only later began exhibiting malicious behavior. The extensions’ malicious activities included capturing the URLs of every site visited, sending this data along with unique user identifiers to remote C2 servers, and receiving instructions to redirect users to attacker-controlled destinations. In some cases, users were redirected to convincing phishing pages, such as fake Zoom update prompts, which delivered additional malware and enabled full device compromise (Malwarebytes).

The C2 infrastructure was highly organized, using multiple subdomains (e.g., admitab[.]com, click.videocontrolls[.]com, c.undiscord[.]com) to mask the centralized nature of the operation and create the appearance of separate operators (Forbes). The extensions’ codebases were similar, and all implemented browser surveillance and hijacking capabilities. The campaign’s scale and sophistication highlight the limitations of current extension vetting and update processes in both major browser marketplaces.

The attack chain can be mapped to several MITRE ATT&CK techniques, including supply-chain compromise (T1195.002), browser extension persistence (T1176), C2 communication over web protocols (T1071.001), and credential theft via adversary-in-the-middle (T1556.002). The technical evidence supporting these findings includes verified extension IDs, C2 domains, and observed network traffic, all corroborated by independent security researchers.

No direct attribution to a specific threat actor has been made, but the campaign’s organization and financial motivation are evident. The use of benign extensions as sleeper agents weaponized via updates is a known tactic, but the exploitation of verified badges and high-profile store placement is unprecedented in scale.

Affected Versions & Timeline

The affected products are Google Chrome and Microsoft Edge browsers, specifically users who installed any of the 18 identified malicious extensions. The extensions were initially benign and gained user trust through legitimate functionality and positive reviews. At an undetermined point, malicious code was introduced via updates, turning the extensions into sleeper agents. The malicious behavior was active for an unknown period before discovery.

The campaign was publicly disclosed on July 9, 2025, by Koi Security and corroborated by Malwarebytes, Forbes, and TechRadar. As of that date, most of the malicious extensions had been removed from the Chrome and Edge web stores, but some may still be available through third-party sources (Malwarebytes, TechRadar).

The total number of affected users is estimated at 2.3 million, with 1.7 million installations from the Chrome Web Store alone. The campaign did not target a specific sector but instead affected a broad range of individual and enterprise users due to the general-purpose nature of the extensions.

Threat Activity

The threat actors behind Operation RedDirection employed a supply-chain attack by compromising the update mechanism of popular browser extensions. Once the malicious updates were deployed, the extensions began tracking users’ browsing activity, capturing every URL visited, and sending this data to attacker-controlled C2 servers along with unique user identifiers. The extensions also received redirect instructions from the C2 infrastructure, enabling browser session hijacking.

A notable attack scenario involved redirecting users attempting to join legitimate services, such as Zoom meetings, to phishing pages that prompted the download of fake updates. These downloads delivered additional malware, potentially resulting in full device compromise and unauthorized access to sensitive data (Malwarebytes). The extensions’ ability to hijack browser sessions and redirect users to malicious sites poses a direct threat to credential security, business operations, and data integrity.

The campaign’s infrastructure was designed to appear decentralized, with each extension communicating with a unique subdomain. However, analysis revealed that all subdomains were part of a centralized attack infrastructure. The extensions’ codebases were similar, and all implemented browser surveillance and hijacking capabilities (Forbes).

The attack did not discriminate by sector, affecting both individual and enterprise users. The widespread use of browser extensions in business environments for productivity and workflow enhancements increased the risk of credential theft, business email compromise, lateral movement, and data breaches.

Mitigation & Workarounds

The following actions are recommended, prioritized by severity:

Critical: Immediately remove any of the identified malicious extensions from all instances of Google Chrome and Microsoft Edge. The full list of extension IDs and names is available in the referenced sources (Malwarebytes, Forbes, TechRadar).

Critical: Clear all browser data, including cookies, cached files, and stored credentials, to remove tracking identifiers and potential session hijacking artifacts.

Critical: Run a full system malware scan using an updated antivirus or endpoint detection and response (EDR) solution to identify and remove any additional malware that may have been delivered via the extensions.

High: Monitor all accounts for suspicious activity, especially if sensitive sites or services were accessed while the malicious extensions were installed. Change passwords and review security settings for all affected accounts.

High: Review all installed browser extensions for suspicious behavior, even if not on the published list, and remove any that are unnecessary or unrecognized.

Medium: Educate users and IT staff about the risks of browser extensions, emphasizing the importance of only installing extensions from trusted sources and regularly reviewing installed add-ons.

Medium: Implement browser extension management policies in enterprise environments, restricting installation to a pre-approved list and monitoring for unauthorized extensions.

Low: Stay informed about future advisories from browser vendors and security researchers regarding extension security and supply-chain risks.

References

Malwarebytes, "Millions of people spied on by malicious browser extensions in Chrome and Edge," July 9, 2025: https://www.malwarebytes.com/blog/news/2025/07/millions-of-people-spied-on-by-malicious-browser-extensions-in-chrome-and-edge

Forbes, "Delete Every Chrome And Edge Extension That’s On This List," July 9, 2025: https://www.forbes.com/sites/zakdoffman/2025/07/09/delete-every-chrome-and-edge-extension-thats-on-this-list/

TechRadar, "Malicious Google Chrome and Edge extensions downloaded more than 2 million times - here's how to stay safe from being tracked online," July 9, 2025: https://www.techradar.com/pro/security/malicious-google-chrome-and-edge-extensions-downloaded-more-than-2-million-times-heres-how-to-stay-safe-from-being-tracked-online

About Rescana

Rescana provides a third-party risk management (TPRM) platform that enables organizations to continuously monitor, assess, and manage the security posture of their digital supply chain, including browser extensions and other third-party software components. Our platform supports the identification of supply-chain risks, facilitates rapid response to emerging threats, and helps organizations enforce security policies for browser extension usage. For questions or further information, please contact us at ops@rescana.com.