Executive Summary

The ShadyPanda threat actor has orchestrated one of the most significant browser-based supply chain attacks in recent years, weaponizing millions of browsers through malicious extensions on both Google Chrome and Microsoft Edge. This campaign, active since at least 2018, has resulted in the compromise of over 4.3 million users worldwide. By leveraging the trust associated with “verified” and “featured” browser extensions, ShadyPanda was able to deliver remote code execution (RCE) backdoors, enabling full browser takeover, persistent surveillance, and large-scale data exfiltration. The operation evolved from simple affiliate fraud to advanced spyware and adversary-in-the-middle (AitM) attacks, demonstrating a high degree of technical sophistication and operational security. The campaign’s impact spans both consumer and enterprise environments, with ongoing risks due to the continued availability of some malicious extensions.

Threat Actor Profile

ShadyPanda is an advanced persistent threat (APT) actor whose infrastructure and tactics, techniques, and procedures (TTPs) suggest a China-based operation. While not directly mapped to any previously catalogued APT group such as APT31 or APT41, the group exhibits hallmarks of a well-resourced and technically adept adversary. ShadyPanda’s campaign is characterized by its abuse of browser extension ecosystems, use of sophisticated obfuscation and anti-analysis techniques, and a focus on maximizing reach through the exploitation of trusted distribution channels. The group’s monetization strategies have included affiliate fraud, but the primary objective appears to be large-scale data collection and persistent access to victim environments.

Technical Analysis of Malware/TTPs

The ShadyPanda campaign unfolded in several distinct phases, each marked by increasing technical complexity and operational ambition. Between 2018 and 2023, the group published over 145 extensions to the Chrome Web Store and Microsoft Edge Add-ons, often masquerading as productivity tools, download managers, or wallpaper applications. These extensions initially engaged in affiliate fraud by injecting tracking codes into e-commerce sessions, redirecting commissions to attacker-controlled accounts.

By 2023, the campaign escalated: extensions began hijacking search traffic, redirecting queries through trovi.com, a known browser hijacker, and exfiltrating cookies and keystrokes. In mid-2024, several trusted extensions, including Clean Master: the best Chrome Cache Cleaner, received malicious updates that introduced an hourly RCE backdoor. This backdoor enabled remote servers to push arbitrary JavaScript payloads with full browser API access, effectively granting the attacker persistent control over the browser environment.

The extensions’ attack chain leveraged several advanced TTPs. Initial access was achieved through user installation of extensions from official stores, often with “Featured” or “Verified” badges to engender trust. Persistence was maintained via the auto-update mechanisms inherent to browser extensions, allowing the attacker to silently deliver malicious payloads post-installation. Command and control (C2) was established through hourly check-ins with attacker-controlled domains such as api.extensionplay[.]com and api.cleanmasters[.]store, which served as conduits for both payload delivery and data exfiltration.

Data collection capabilities were extensive. The extensions monitored all website visits, search queries, mouse clicks, and navigation behavior, exfiltrating encrypted browsing history and capturing browser fingerprints and persistent identifiers. Service workers were abused to enable adversary-in-the-middle (AitM) attacks, allowing for the interception of HTTPS traffic, credential theft, and arbitrary code injection. The malware employed extensive obfuscation and anti-analysis techniques, including switching to benign behavior if browser developer tools were opened.

The campaign’s TTPs map to several MITRE ATT&CK techniques, including T1059.007 (Command and Scripting Interpreter: JavaScript), T1071.001 (Application Layer Protocol: Web Protocols), T1557 (Adversary-in-the-Middle), T1566.001 (Spearphishing via Service), T1087 (Account Discovery), and T1113 (Screen Capture).

Exploitation in the Wild

The exploitation of this campaign has been both widespread and impactful. Over 4.3 million users have been affected globally, spanning both enterprise and consumer environments. The observed impacts include full browser compromise via RCE, theft of credentials and session cookies, persistent surveillance of browsing activity, and monetization through affiliate fraud. The attackers’ ability to exfiltrate sensitive data and maintain persistent access to victim browsers presents significant risks, including the potential for lateral movement within enterprise environments via stolen credentials.

Despite public disclosure and removal efforts, some malicious extensions remained available for download as late as December 2025. The campaign’s reliance on trusted distribution channels and the abuse of browser extension update mechanisms underscore the challenges of defending against supply chain attacks in the modern threat landscape.

Victimology and Targeting

ShadyPanda’s campaign was opportunistic in nature, targeting a broad swath of users across the globe. There is no evidence of specific sector targeting; rather, the group sought to maximize its reach by exploiting the popularity of browser extensions. Victims include both individual consumers and enterprise users, with the latter facing heightened risks due to the potential for credential theft and subsequent lateral movement within organizational networks. The campaign’s infrastructure is based in China, and the attacker-controlled domains used for C2 and data exfiltration are registered to Chinese entities. Developer aliases associated with the campaign include “nuggetsno15” on the Chrome Web Store and “rocket Zhang” on Microsoft Edge Add-ons.

Mitigation and Countermeasures

Immediate action is required to mitigate the risks posed by the ShadyPanda campaign. Organizations should audit all endpoints for the presence of the following extensions: Clean Master: the best Chrome Cache Cleaner, Speedtest Pro-Free Online Internet Speed Test, BlockSite, Address bar search engine switcher, SafeSwift New Tab, Infinity V+ New Tab, OneTab Plus: Tab Manage & Productivity, WeTab 新标签页, Infinity New Tab for Mobile, Infinity New Tab (Pro), Infinity New Tab, Dream Afar New Tab, Download Manager Pro, Galaxy Theme Wallpaper HD 4k HomePage, and Halo 4K Wallpaper HD HomePage. All versions of these extensions published between 2018 and December 2025 should be considered compromised.

Upon detection, these extensions must be immediately removed from all systems. Credential hygiene is paramount; all credentials, tokens, and session cookies on affected systems should be rotated without delay. Network monitoring should be implemented to block and detect traffic to api.extensionplay[.]com, api.cleanmasters[.]store, and trovi.com. Organizations should enforce allow-lists for browser extensions and consider disabling auto-updates for extensions in high-risk environments. Compromised browser profiles should be rebuilt or reset, and browser logs and service worker activity should be inspected for signs of compromise. User awareness training should emphasize the risks associated with browser extensions, even those with high install counts or “verified” status.

References

eSecurityPlanet: 4.3M Users Exposed in ShadyPanda’s Long-Running Browser Hack

The Hacker News: ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware

BleepingComputer: ShadyPanda browser extensions amass 4.3M installs in malicious campaign

Infosecurity Magazine: ShadyPanda's 7-Year Campaign Infects 4.3M Chrome and Edge Users

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for your organization’s most critical assets.

For further questions or incident response support, please contact us at ops@rescana.com.