LogoBoTab
  • Blog
  • Docs
  • Discord
4.3 Million Browsers Infected: Uncovering ShadyPanda's 7-Year Malware Campaign
2025/12/03

4.3 Million Browsers Infected: Uncovering ShadyPanda's 7-Year Malware Campaign

Security firm Koi.ai has disclosed ShadyPanda's 7-year malware campaign, infecting over 4.3 million Chrome and Edge users, involving well-known extensions like Clean Master.

Share
X (Twitter)Share on X (Twitter)Share on Facebook

Summary: Recently, security firm Koi.ai released a bombshell report exposing a threat group named ShadyPanda. Over the past 7 years, this group has infected more than 4.3 million users by distributing malicious browser extensions through Chrome and Edge stores. The report indicates that multiple well-known extensions, including Clean Master, have been used as spyware to collect sensitive data such as user browsing history, search records, and even cookies.

ShadyPanda Campaign Overview

7 Years of Planning, 4 Phases

According to Koi.ai researcher Tuval Admoni, ShadyPanda's attack activities can be traced back 7 years, with strategies continuously evolving from simple ad fraud to comprehensive browser monitoring.

Phase 1: The "Wallpaper and Productivity Tools" Scam (2023)

Initially, ShadyPanda released 145 extensions disguised as wallpaper or productivity tools (mainly in the Edge store). These extensions profited by injecting affiliate codes (Affiliate Fraud). When users visited shopping sites like Amazon and eBay, the extensions would quietly replace links to earn commissions. Although not technically sophisticated, this gave attackers a taste of success: users trust extensions with high install counts, and app store reviews primarily focus on initial submissions.

Phase 1: Wallpaper Hustle

Phase 2: Search Hijacking (Early 2024)

Subsequently, attackers became bolder. Certain new tab extensions began hijacking users' search traffic, redirecting it to known hijacking sites like trovi.com. More seriously, they started collecting users' search queries (even real-time input before users pressed Enter) and cookies from specific domains, sending the data to attackers' servers.

Phase 2: Search Hijacking

Phase 3: The Long Game

This phase was the most deceptive. ShadyPanda acquired or developed 5 extensions including Clean Master, allowing them to operate legitimately for years, accumulating hundreds of thousands of users, and even earning "Featured" and "Verified" badges from stores.

It wasn't until mid-2024 that attackers pushed malicious code through automatic update mechanisms. These extensions were implanted with Remote Code Execution (RCE) backdoors, downloading and executing arbitrary JavaScript code from control servers every hour. This means attackers could change extension behavior at any time, transitioning from monitoring to ransomware or credential theft.

Phase 3: The Long Game

Phase 4: The Spyware Empire (4 Million+ Users)

This is currently the most impactful phase. The report indicates that 5 other extensions operated by ShadyPanda in the Edge store (including extensions with millions of users) are actually powerful spyware.

These extensions are accused of collecting and exfiltrating the following data:

  • Complete browsing history: Every URL visited.
  • Search queries: Recording every user search.
  • Page interactions: Mouse click coordinates, dwell time, etc.
  • Browser fingerprints: Screen resolution, User Agent, timezone, etc.
  • Cookies and storage data: Having permissions to read all cookies and local storage.

According to reports, this data was sent to servers located in China as well as Google Analytics.

Phase 4: Spyware Empire

User Community Response

This incident has sparked strong reactions across major tech communities. Many long-term users expressed shock and anger, while others began searching for alternatives.

In the Linux.do community, users expressed concerns about data breaches:

"I spent so long customizing everything, and now it's all gone! Malicious plugins I**" —— Acheron "Got hit, don't know what exactly was stolen" —— hjie

On V2EX, users also posted:

"Can't laugh about this, been using a new tab page for years, suspected to be poisoned"

Users in the NodeLoc community expressed relief at not being affected and reminded each other to stay vigilant about security.

These authentic voices reflect users' concern for privacy and security, as well as disappointment at being "backstabbed" by tools they once trusted.

Technical Details and Harm

The report provides detailed analysis of ShadyPanda's technical methods:

  • RCE Backdoor: Infected extensions regularly check api.extensionplay[.]com, downloading and executing obfuscated JavaScript code.
  • Anti-Analysis: Malicious code detects whether developer tools are open, and if debugging behavior is detected, it stops malicious activities to evade analysis.
  • Man-in-the-Middle Attack Capability: Through Service Workers, malicious extensions can intercept and modify network traffic, even injecting malicious content into HTTPS connections.

Official Response and Controversy

In response to Koi.ai's allegations, the WeTab and Infinity teams quickly released response statements (see Official Statement).

The teams stated:

  1. Clean Master Chrome version was sold to a third party long ago, and subsequent malicious updates are unrelated to the original team.
  2. WeTab and Infinity are independently operated products with code different from Clean Master, containing no backdoors or malicious monitoring.
  3. Extensions were removed because they used the same developer account as Clean Master and were "guilty by association," not because the products themselves contained malicious code.
  4. Collected data is only used for basic product functions (such as syncing, statistics), does not involve privacy, and the teams have invited third-party organizations to conduct security audits.

Reference sources: Koi.ai Blog, BleepingComputer, V2EX Discussion

All Posts

Categories

  • Privacy
7 Years of Planning, 4 PhasesPhase 1: The "Wallpaper and Productivity Tools" Scam (2023)Phase 2: Search Hijacking (Early 2024)Phase 3: The Long GamePhase 4: The Spyware Empire (4 Million+ Users)User Community ResponseTechnical Details and HarmOfficial Response and Controversy

More Posts

12 Best RSS Tools in 2026
Tools

12 Best RSS Tools in 2026

RSS still wins when you want calm, controllable reading. This guide covers 12 practical RSS tools for 2026, from lightweight readers and discovery feeds to web-to-RSS generators and full-text extractors. You will see where each tool shines, what to expect, and how to pick a setup that fits your daily info habits.

avatar for Nexmoe
Nexmoe
2026/01/01
6 Best Mac Resources in 2026
Tools

6 Best Mac Resources in 2026

This 2026 Mac resources list focuses on English and international sites, covering software download portals, icon resources, and open-source collections. Each entry includes screenshots and key points to help you quickly identify the ones you will actually use regularly.

avatar for Nexmoe
Nexmoe
2026/01/03
20 Best Icon Websites in 2025
Tools

20 Best Icon Websites in 2025

This article helps you collect 20 of the most valuable icon websites in 2025 at once, covering search engines, comprehensive icon libraries, and open-source icon collections. Perfect for designers, frontend developers, and product teams to quickly find icons, supplement materials, and handle multi-size adaptations. You can pick icons with the right style in the shortest time for different scenarios.

avatar for Nexmoe
Nexmoe
2025/12/30

Get Started with BoTab

Experience transforming bookmarks into new tab pages with one click right now, make your browsing more efficient

ChromeDownload Now ChromeLearn More
Supports Chrome, Edge and all Chromium-based browsers
您的浏览器不支持视频播放。
LogoBoTab

Make your bookmarks smarter

TwitterX (Twitter)DiscordLinkedInEmail
Product
  • Features
  • Pricing
  • FAQ
Resources
  • Blog
  • Documentation
  • Changelog
Legal
  • Cookie Policy
  • Privacy Policy
  • Terms of Service
© 2021–2026 BoTab. Made By Nexmoe