7-year ShadyPanda campaign infected over 4.3 million browsers via malicious Chrome and Edge extensions, turning trusted updates into spyware.

Continue reading
In one of the most sustained digital espionage campaigns ever uncovered, over 4.3 million Chrome and Edge users had their browsing activity, passwords, and online identities silently harvested for years by the very browser extensions they trusted. Dubbed "ShadyPanda" by cybersecurity firm Koi Security, this seven-year campaign exploited a fundamental flaw in the global browser ecosystem, turning routine security updates into a weapon against unsuspecting users.
The investigation reveals a patient, sophisticated operation in which attackers first published legitimate extensions, gained coveted "Featured" status in official stores, and then—years later—pushed malicious updates that transformed helpful tools into full-spectrum spyware. As of early December 2025, extensions linked to the campaign, including one with approximately 3 million installations, reportedly remain available on the Microsoft Edge Add-ons store despite public disclosure.
The ShadyPanda operation didn't hack browsers; it hijacked trust. Its methodology reveals a blueprint for modern digital infiltration:
Phase 1: The Legitimate Front (2018-2023) Attackers published over 150 benign extensions—primarily wallpaper managers, screenshot tools, and productivity enhancers—to the Chrome Web Store and Microsoft Edge Add-ons store. These passed standard reviews, accumulated millions of users, and some even earned official "Featured" or "Verified" badges, the highest trust signals in browser marketplaces.
Phase 2: The Silent Weaponization (Mid-2024) The critical turn came through routine, automated updates. Extensions like "Clean Master," with established user bases, received updates containing a sophisticated Remote Code Execution (RCE) framework. This allowed attackers to silently deploy any surveillance payload at will, turning browsers into live-feeds of user activity.
Phase 3: Live Surveillance & Data Harvesting (Ongoing) At least five extensions on the Edge store, including the massively popular "WeTab" (3 million installs), continue to actively collect:
"This campaign exposes the bankruptcy of the 'review-at-submission' model that both Google and Microsoft employ," explains Dr. Elena Vargas, a supply-chain security researcher at MIT. "We treat extensions like trusted applications, but their update mechanism operates like an unguarded backdoor."
The central failure is procedural: both major browser stores conduct primary security reviews only when an extension is first submitted. Subsequent updates are largely automated and trusted, creating what security professionals call a "supply-chain attack vector." ShadyPanda simply waited out the initial review period—sometimes for five years—before deploying its malicious payloads.
A comparative analysis reveals stark differences in platform response:
| Platform | Number of Identified Malicious Extensions | Key Example | Current Status (Dec 2025) | Response Timeframe |
|---|---|---|---|---|
| Chrome Web Store | 150+ extensions | "Clean Master" (RCE backdoor) | Removed post-disclosure | Days after disclosure |
| Microsoft Edge Add-ons | 5+ active extensions | "WeTab" (3M+ installs) | Reportedly still available | No public removal/statement |
While 4.3 million is a staggering figure, the true impact is qualitative. Affected users include:
"This isn't just stolen credit cards," notes Marcus Thrane, head of incident response at a global cybersecurity firm. "This is the gradual, comprehensive mapping of digital lives—relationships, interests, fears, and identities—sold to the highest bidder or leveraged for more targeted attacks."
Evidence suggests the stolen data feeds a growing commercial surveillance ecosystem. According to leaked threat actor communications analyzed by security firm Unit 221B, browser history datasets from Western users command premium prices in underground forums, often categorized by:
The extensions themselves appear financially motivated through multiple streams: affiliate fraud (hijacking shopping commissions), direct data sales, and potentially targeted ad injection.
The ShadyPanda campaign operates in a regulatory gray zone. Unlike data breaches where personally identifiable information is stolen from a company's database, this constitutes a distributed, continuous collection directly from user devices.
For organizations and advanced users:
ShadyPanda represents more than a large-scale malware campaign; it signals the end of naive trust in the digital tools we use daily. The very mechanisms designed for our protection—automated updates, platform verification badges, centralised app stores—were systematically weaponised against us.
The campaign's seven-year success reveals an uncomfortable truth: in today's digital ecosystem, legitimacy is not a permanent state but a temporary condition that invisible actors can revoke at any moment. As browsers become our primary interface to the world—handling everything from email to banking to healthcare—their extension ecosystems represent one of the largest, least-regulated software supply chains on Earth.
Until platforms implement continuous behavioral analysis of extensions (monitoring what they do after approval, not just what they claim to do at submission), and until regulatory frameworks recognize distributed data collection as the systemic threat it represents, the ShadyPanda blueprint will inevitably be replicated. In the architecture of modern digital life, we've discovered that the most convenient doors are also the easiest to leave unlocked—and someone has been walking through them for seven years.
The final irony may be this: the extensions promised to enhance our browsing experience. Instead, they turned our browsers into panopticons, proving that in the digital age, the most valuable commodity isn't technology, but the trust we place in it.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.