A threat actor tracked as ShadyPanda has been running a browser extension malware operation since 2018, compromising 4.3 million Chrome and Edge users. The campaign weaponized trusted productivity tools through silent updates that slipped past automated marketplace reviews.
The operation worked by publishing legitimate extensions, building user trust over several years, then pushing malicious updates through Chrome and Edge’s auto-update systems. Some extensions operated cleanly for five years before turning malicious.
The Multi-Phase Attack
ShadyPanda started in 2023 with 145 extensions disguised as wallpaper and productivity tools. These injected affiliate tracking codes into shopping sites like Amazon and eBay while collecting browsing data. The threat actor used this phase to learn how marketplace reviews work and how users evaluate extensions.
By early 2024, the operation escalated to search hijacking. Extensions redirected queries through known browser hijackers, exfiltrated cookies, and captured keystrokes from search boxes before users even pressed enter. All of this moved over unencrypted HTTP connections.
The most damaging phase came in mid-2024. Five extensions that had been running since 2018-2019 received malicious updates installing remote code execution backdoors. One of these, Clean Master, had earned Google’s “Featured” and “Verified” badges and accumulated over 200,000 installations.
These backdoored extensions check in hourly with attacker-controlled servers, download arbitrary JavaScript, and execute it with full browser access. The malware monitors every website visit, exfiltrates encrypted browsing history, and collects complete browser fingerprints. When users open developer tools, the malware switches to benign behavior to avoid detection.
A parallel spyware operation runs through five additional Microsoft Edge extensions published by Starlab Technology. These have accumulated over 4 million installations, with WeTab New Tab Page alone accounting for 3 million users.
What the Extensions Are Stealing
The malware tracks every URL visited, all search queries at keystroke level, mouse clicks with pixel precision, browser fingerprints, page interaction data, and storage access. The collected data flows to 17 different domains, including multiple Baidu servers in China and WeTab servers in China.
The extensions have permissions to access all URLs and cookies. ShadyPanda can push updates at any time to deploy additional backdoors or switch payloads from surveillance to ransomware or credential theft.
Still Active in Microsoft Edge
Google has removed the malicious extensions from the Chrome Web Store. However, multiple extensions remain active in the Microsoft Edge Add-ons store as of December 2, 2025. WeTab (3 million users) and Infinity New Tab (Pro) (650,000 users) were confirmed still available for download.
Even after marketplace removal, the malicious infrastructure remains active on any browser where the extensions are still installed. The remote code execution backdoor continues checking for commands hourly.
Playing the Long Game
Browser extension marketplaces review extensions during initial submission but provide little ongoing monitoring afterward. Auto-update pipelines deliver code changes without meaningful security checks. ShadyPanda exploited this gap consistently for seven years.
Clean Master operated legitimately for five years before receiving its malicious update. This patience allowed the extension to accumulate a large user base and earn marketplace verification badges that increased trust. Users saw high ratings, thousands of reviews, and official verification markers, then installed what appeared to be legitimate software.
The auto-update mechanism became the attack vector. Chrome and Edge’s trusted update pipelines silently delivered malware to users without phishing, social engineering, or user interaction required.
What to Do Now
Check your installed extensions immediately in Chrome and Edge. Remove any suspicious extensions, especially:
- Clean Master
- WeTab New Tab Page
- Infinity V+ or Infinity New Tab (Pro)
- Any extensions from publishers “nuggetsno15,” “rocket Zhang,” or “Starlab Technology”
After removal, reset your account passwords across all online services. The extensions had access to credentials, cookies, and session data.
Consider auditing your installed extensions regularly and removing any you no longer use. Disable automatic extension updates where possible.
The Bigger Problem
For organizations, this represents a significant endpoint security risk. Employees using infected extensions on work devices could have exposed corporate credentials, internal systems, and sensitive data. A single compromised browser extension can become an entry point into an entire network.
The fact that WeTab and other extensions remain active in the Edge marketplace while actively exfiltrating data to servers in China raises serious questions about marketplace security practices. The review process hasn’t changed significantly in seven years, and attackers now understand exactly how to exploit it at scale. You can’t rely on marketplaces to catch every threat, which means organizations need to assume malware will eventually make it onto endpoints and plan accordingly.
That’s where restricting admin privileges makes a real difference. Admin By Request EPM keeps users operating with standard privileges by default and only grants elevated access on a just-in-time basis for approved applications. Malware running without admin rights can’t install persistent backdoors, modify system files, disable security software, or move laterally across your network.
Want to see how privilege management reduces your attack surface? Book a demo or try our lifetime free plan for up to 25 endpoints.
