Close Menu
Cybercrime and Ransomware

Extensions Exposed: Tracking Users & Creating Backdoors

Staff WriterBy No Comments4 Mins Read1 Views

Fast Facts

  1. A threat actor named ShadyPanda has been weaponizing over 100 malicious browser extensions for Chrome and Edge for nearly 7 years, with some still available for download and over 4 million total installs.
  2. These extensions were used for affiliate fraud by injecting tracking codes on sites like Amazon and eBay, generating hidden commissions and harvesting browsing data via Google Analytics.
  3. In 2024, ShadyPanda shifted tactics, deploying extensions like Infinity V+ to redirect searches and steal cookies, creating unique user profiles without consent.
  4. Previously legitimate extensions, including one with 300,000+ installs, were maliciously updated to serve as backdoors for remote code execution, enabling surveillance, data exfiltration, and potentially future malicious activities.

Underlying Problem

A malicious actor known as ShadyPanda has maliciously uploaded over a hundred Chrome and Microsoft Edge extensions, some of which have been downloaded more than four million times. Initially, these extensions appeared harmless and gained Google’s ‘Verified’ status; however, around mid-2024, the actor weaponized them through malicious updates. Consequently, the extensions turned into backdoors, capable of executing arbitrary JavaScript and issuing commands from external servers. These extensions now serve as tools for surveillance, data theft, and potentially more dangerous activities like ransomware, depending on ShadyPanda’s commands. The actor’s motivations seem rooted in monetizing browsing data through affiliate fraud, as evidenced by extensions that silently inject affiliate tracking codes and analyze user activity in real time.

The story was reported by Koi Security, which detailed how ShadyPanda changed tactics in 2024 by deploying a seemingly innocent productivity extension called Infinity V+ that hijacked web searches. This actor also exfiltrated sensitive data, including browser cookies, and created unique user identifiers without consent. Furthermore, evidence links these campaigns to previous legitimate extensions, revealing a deliberate strategy to first gain trust and then weaponize the platform. Both Google and Microsoft have yet to comment on these findings, but the exposed code and infrastructure highlight the growing threat posed by compromised browser extensions—tools that are supposed to protect users but can secretly turn into sophisticated surveillance and hacking platforms.

Potential Risks

The issue of Chrome and Edge extensions being caught tracking users and creating backdoors can seriously threaten your business. When malicious extensions bypass security, cybercriminals gain access to sensitive data, eroding customer trust and damaging your reputation. As a result, data breaches can lead to hefty fines, legal troubles, and loss of business to competitors. Furthermore, these backdoors can serve as entry points for malware, causing system downtime and costly recovery efforts. Consequently, if your business relies on browser extensions for daily operations, neglecting this risk can result in severe financial and operational setbacks. In short, without proper security measures, such vulnerabilities pose a real threat to your company’s stability and growth.

Possible Actions

Quick action to address “Chrome, Edge Extensions Caught Tracking Users, Creating Backdoors” is critical to prevent significant security breaches, protect user privacy, and maintain system integrity. Delays can amplify exposure, enabling malicious actors to exploit vulnerabilities or steal sensitive data.

Detection & Analysis

  • Conduct thorough review to identify malicious or suspicious extensions.
  • Analyze activity logs for unusual behaviors or unauthorized data access.

Removal & Quarantine

  • Immediately disable or uninstall compromised extensions from all affected browsers.
  • Quarantine impacted devices to prevent further spread.

Patch & Update

  • Ensure browsers and all extensions are updated to latest secure versions.
  • Apply patches to close exploitable vulnerabilities identified during analysis.

Configuration & Enforcement

  • Implement strict policies restricting installation of unapproved or unknown extensions.
  • Enable browser security settings that prevent extension installation from untrusted sources.

Monitoring & Detection

  • Increase surveillance for unusual extension behavior or network anomalies.
  • Deploy security solutions capable of detecting and alerting on malicious extension activities.

User Awareness & Training

  • Educate users on risks associated with browser extensions and best practices.
  • Encourage reporting of suspicious extension behaviors promptly.

Audits & Reviews

  • Regularly audit installed extensions for compliance and security.
  • Review and update security policies pertaining to browser extensions periodically.

Continue Your Cyber Journey

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1cyberattack-v1-multisource

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.