4.3 Million Browsers Infected: Uncovering ShadyPanda's 7-Year Malware Campaign
Security firm Koi.ai has disclosed ShadyPanda's 7-year malware campaign, infecting over 4.3 million Chrome and Edge users, involving well-known extensions like Clean Master.
Summary: Recently, security firm Koi.ai released a bombshell report exposing a threat group named ShadyPanda. Over the past 7 years, this group has infected more than 4.3 million users by distributing malicious browser extensions through Chrome and Edge stores. The report indicates that multiple well-known extensions, including Clean Master, have been used as spyware to collect sensitive data such as user browsing history, search records, and even cookies.
7 Years of Planning, 4 Phases
According to Koi.ai researcher Tuval Admoni, ShadyPanda's attack activities can be traced back 7 years, with strategies continuously evolving from simple ad fraud to comprehensive browser monitoring.
Phase 1: The "Wallpaper and Productivity Tools" Scam (2023)
Initially, ShadyPanda released 145 extensions disguised as wallpaper or productivity tools (mainly in the Edge store). These extensions profited by injecting affiliate codes (Affiliate Fraud). When users visited shopping sites like Amazon and eBay, the extensions would quietly replace links to earn commissions. Although not technically sophisticated, this gave attackers a taste of success: users trust extensions with high install counts, and app store reviews primarily focus on initial submissions.
Phase 2: Search Hijacking (Early 2024)
Subsequently, attackers became bolder. Certain new tab extensions began hijacking users' search traffic, redirecting it to known hijacking sites like trovi.com. More seriously, they started collecting users' search queries (even real-time input before users pressed Enter) and cookies from specific domains, sending the data to attackers' servers.
Phase 3: The Long Game
This phase was the most deceptive. ShadyPanda acquired or developed 5 extensions including Clean Master, allowing them to operate legitimately for years, accumulating hundreds of thousands of users, and even earning "Featured" and "Verified" badges from stores.
It wasn't until mid-2024 that attackers pushed malicious code through automatic update mechanisms. These extensions were implanted with Remote Code Execution (RCE) backdoors, downloading and executing arbitrary JavaScript code from control servers every hour. This means attackers could change extension behavior at any time, transitioning from monitoring to ransomware or credential theft.
Phase 4: The Spyware Empire (4 Million+ Users)
This is currently the most impactful phase. The report indicates that 5 other extensions operated by ShadyPanda in the Edge store (including extensions with millions of users) are actually powerful spyware.
These extensions are accused of collecting and exfiltrating the following data:
- Complete browsing history: Every URL visited.
- Search queries: Recording every user search.
- Page interactions: Mouse click coordinates, dwell time, etc.
- Browser fingerprints: Screen resolution, User Agent, timezone, etc.
- Cookies and storage data: Having permissions to read all cookies and local storage.
According to reports, this data was sent to servers located in China as well as Google Analytics.
User Community Response
This incident has sparked strong reactions across major tech communities. Many long-term users expressed shock and anger, while others began searching for alternatives.
In the Linux.do community, users expressed concerns about data breaches:
"I spent so long customizing everything, and now it's all gone! Malicious plugins I**" —— Acheron "Got hit, don't know what exactly was stolen" —— hjie
On V2EX, users also posted:
"Can't laugh about this, been using a new tab page for years, suspected to be poisoned"
Users in the NodeLoc community expressed relief at not being affected and reminded each other to stay vigilant about security.
These authentic voices reflect users' concern for privacy and security, as well as disappointment at being "backstabbed" by tools they once trusted.
Technical Details and Harm
The report provides detailed analysis of ShadyPanda's technical methods:
- RCE Backdoor: Infected extensions regularly check
api.extensionplay[.]com, downloading and executing obfuscated JavaScript code. - Anti-Analysis: Malicious code detects whether developer tools are open, and if debugging behavior is detected, it stops malicious activities to evade analysis.
- Man-in-the-Middle Attack Capability: Through Service Workers, malicious extensions can intercept and modify network traffic, even injecting malicious content into HTTPS connections.
Official Response and Controversy
In response to Koi.ai's allegations, the WeTab and Infinity teams quickly released response statements (see Official Statement).
The teams stated:
- Clean Master Chrome version was sold to a third party long ago, and subsequent malicious updates are unrelated to the original team.
- WeTab and Infinity are independently operated products with code different from Clean Master, containing no backdoors or malicious monitoring.
- Extensions were removed because they used the same developer account as Clean Master and were "guilty by association," not because the products themselves contained malicious code.
- Collected data is only used for basic product functions (such as syncing, statistics), does not involve privacy, and the teams have invited third-party organizations to conduct security audits.
Reference sources: Koi.ai Blog, BleepingComputer, V2EX Discussion
More Posts
How to Organize Bookmarks in Chrome with BoTab (The Efficiency Playbook)
Chrome's native bookmark manager is a black hole. This playbook shows how to organize bookmarks in Chrome with BoTab — turning them into a visual new tab page with multi-column layouts, smart sorting, sharing, quick navigation, and local-first privacy.
8 Best Chrome Session Manager Extensions to Save and Restore Tabs (2026)
Lost context after a restart? Learn how to save tabs in Chrome with these 8 session manager extensions for 2026 — covering one-click session saves, crash recovery, workspace switching, reminder-based revisits, and beautiful new tab hubs.
BoTab's Next Leap into Session Management
Explore how BoTab is building one click session saving and restoration so busy people can switch work modes without rebuilding their browser context every time.
Download Now Chrome