While some consumers spend hours researching must-add Google Chrome extensions, most don’t consider which ones they need to delete. Following a seven-year cyberhacking campaign that infected roughly 4.3 million Chrome and Edge browsers with spyware, it might be time to do just that. Dubbed ShadyPanda by the cybersecurity research firm Koi Security, which first reported the scheme in December 2025, the group operated several legitimate browser extensions for years before weaponizing them to collect its users web browsing data. According to Koi Security, the Chinese hacking group is a quintessential example of how malicious actors attack popular marketplaces like Google and Microsoft Edge, accumulating customers before pushing through software updates that infect victims with dangerous malware. Following the report, several additional extensions involved in the project were publicly identified by the Hacker News:
- Clean Master: the best Chrome Cache Cleaner
- Speedtest Pro-Free Online Internet Speed Test
- BlockSite
- Address bar search engine switcher
- SafeSwift New Tab
- Infinity V+ New Tab
- OneTab Plus:Tab Manage & Productivity
- WeTab 新标签页
- Infinity New Tab for Mobile
- Infinity New Tab (Pro)
- Infinity New Tab
- Dream Afar New Tab
- Download Manager Pro
- Galaxy Theme Wallpaper HD 4k HomePage
- Halo 4K Wallpaper HD HomePage
When Koi broke the story, many of these applications were still active in both Google Chrome and Microsoft Edge browser stores. However, according to a statement given to The Hacker News, Microsoft stated that it had removed all the extensions identified in the scam. Following the scheme, experts suggest users remove any unrecognized browser extensions, review privacy permissions, and focus only on trusted developers. For the industry writ large, the case is a fascinating look into an ever-evolving threat landscape, providing key lessons for preventing future attacks.
Shadypanda’s early hacking operations
ShadyPanda published the first of its 150+ web browser extensions in 2018, garnering nearly 4.3 million users over six years. These applications operated legitimately for seven years, gaining the trust of an expanding user base. The first attack occurred in early 2024, converting 145 wallpaper and productivity applications into vectors for mass affiliate fraud, in which hackers injected tracking codes whenever users made purchases on popular webstores to secretly steal commissions from marketplaces like Amazon and Booking.com. The group also used Google Analytics to track, log, and sell users’ browsing data.
The group initiated a bolder, second crime wave in 2024, where applications like Infinity V+ used search redirection, cookies, exfiltration, and search query harvesting techniques to log and monetize users’ browser activity without their consent. Although these attacks were easily identified and disrupted by security professionals, with several applications removed within weeks of their orchestration, they set the table for the organization’s longer, more prolific attacks. Taking five of the organization’s most popular browser extensions, many of which were uploaded as early as 2018 and garnered Featured and Verified status, the group uploaded malicious software updates that infected over 300,000 Chrome and Edge users with malware.
Following the malicious updates, which took advantage of users’ automated update settings, these five extensions, including Speedtest Pro-Free Online Internet Speed Test and Clean Master, created a backdoor through which ShadyPanda could deliver ransomware, execute credential theft, steal browsing data, and conduct corporate espionage. The success of these attacks set the groundwork for what would become a four million+ victim spyware scam.
Beware of spyware
Shadypanda’s next scam attracted four million Microsoft Edge users through extensions like WeTab. Published by StarLab Technology, WeTab garnered over three million users alone. Disguised as productivity tools, these spyware extensions operated legitimately for two years before quietly collecting the entirety of their users’ browsing data, ranging from search queries, keystrokes, mouse movements, and scroll behavior to browser fingerprints like screen resolution, language, and viewing time. Extensions like WeTab then exfiltrated this information to 15 Chinese domains.
Although less invasive than the group’s previous scam, it was much more prolific and exhibited the same ability to push RCE backdoors into users’ systems. Together, Shadypanda’s operations offer several lessons for users, developers, and browser marketplaces. Critically, it points to a major security flaw within the broader extension and app marketplace, where due diligence processes end at the approval stage, thus allowing hackers to attack victims through malicious software updates, often manipulating security-minded auto-update settings. As Koi Security points out, however, these problems go far beyond ShadyPanda and their over four million users.
Instead, they reflect broader vulnerabilities in online marketplaces, setting the stage for prolonged hacking operations by criminal networks and state-sponsored groups. As such, marketplaces must adjust their security apparatuses accordingly. For users, it highlights a key vulnerability: trust. Whether it’s an abundance of faith in download numbers, online reviews, or verification badges, users must be vigilant in researching everyone they allow to access their data, as dangerous malware can lurk in everything from video games to iPhone applications. Even AI browsers have been found to spy on their users, underscoring the need for consumers to better assess the security of their data.
