How many corporate logins are you routing through third-party code? Two Chrome extensions answered that question for thousands — silently.
- Two Chrome extensions named Phantom Shuttle have operated since at least 2017 and are marketed as proxy/VPN tools but inject hardcoded proxy credentials and route traffic through attacker-controlled proxies.
- Attackers abuse Chrome extension APIs to inject credentials, force PAC proxy configuration, and exfiltrate form data, cookies, and tokens for 170+ high-value domains.
- Immediate actions: identify and remove the extension IDs, block `phantomshuttle.space`, hunt for proxy-auth attempts using `topfany:963852wei`, and verify systems where credentials were used.
Threat Research Team discovered two malicious Chrome extensions (both named Phantom Shuttle) that embed malicious JavaScript into a legitimate jQuery library to perform silent credential injection and PAC-based proxy routing.
The extensions automatically respond to any HTTP authentication challenge with hardcoded credentials, configure Chrome to use attacker proxies for a curated list of high-value domains, and maintain a heartbeat to a C2 domain while exfiltrating data. The commercial subscription model (Alipay/WeChat Pay) masks malicious intent and helps the actor retain victims.
Observed Evidence & Timeline
- Active since at least 2017 — Socket'’ telemetry and package history show long-term availability. (Socket — Dec 22, 2025).
- Dec 22, 2025 — Socket publishes a technical analysis of Phantom Shuttle; details include extension IDs, embedded obfuscated credentials, and PAC logic. (Socket).
- Dec 23, 2025 — BleepingComputer, TheHackerNews and other outlets report on thendings and confirm the extensions remained live in the Chrome Web Store at reporting time.
Technical Analysis
Attack flow (high level)
- User installs Phantom Shuttle from Chrome Web Store and optionally pays subscription.
- Extension injects malicious code (prepended to `jquery-1.12.2.min.js`) that decodes hardcoded proxy credentials and registers an `onAuthRequired` listener.
- The listener auto-responds to HTTP auth challenges with attacker credentials, enabling transparent authentication to attacker proxies.
- Extension sets Chrome proxy via a PAC (Proxy Auto-Config) script and routes traffic to selected high-value domains through the proxy server.
- Extension maintains a 60-second heartbeat to C2 and exfiltrates captured cookies, form fields, and tokens.
Key artifacts
- Malicious strings and decoder function (`jerry`) used to obfuscate credentials.
- `chrome.webRequest.onAuthRequired` listener with `asyncBlocking`.
- PAC script injected via `chrome.proxy.settings.set(...)` referencing a decoded proxy server.
- Heartbeat and C2 communication to `phantomshuttle.space`.
Short ASCII flow
User -> Chrome Web Store (install) -> Extension (jquery + malicious payload)
-> injects onAuthRequired -> auto-auth using topfany:963852wei
-> sets PAC -> selected domains -> attacker proxy -> data capture -> C2
Indicators of Compromise (IOCs)
| Type | Value | Source |
|---|
| Chrome extension ID | `fbfldogmkadejddihifklefknmikncaj` | Socket |
| Chrome extension ID | `ocpcmfmiidofonkbodpdhgddhlcmcofd` | Socket |
| Extension version | `3.1.9` | Socket |
| Registration email | `theknewone.com@gmail[.]com` | Socket |
| C2 domain | `phantomshuttle[.]space` | Socket |
| C2 IP | `47[.]244[.]125[.]55` | Socket |
| Hardcoded proxy username |
> IOCs above are sourced from Socket and corroborated reporting; mark unconfirmed items accordingly.
MITRE ATT&CK Mapping
- T1176 — Browser Extensions.
- T1557 — Adversary-in-the-Middle.
- T1090.002 — Proxy: External Proxy.
- T1539 — Steal Web Session Cookie.
- T1056.003 — Input Capture: Web Portal Capture.
- T1027 — Obfuscated Files or Information.
- T1071.001 — Application Layer Protocol: Web Protocols.
- T1573 — Encrypted Channel (C2 heartbeat).
Detection & Hunting
High-priority hunts (apply immediately)
- EDR / Endpoint: Enumerate installed Chrome extensions and flag installations with IDs listed above.
- Windows PowerShell (EDR hunt example):
Get-ChildItem -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Extensions" -Directory |
Where-Object { $_.Name -in @('fbfldogmkadejddihifklefknmikncaj','ocpcmfmiidofonkbodpdhgddhlcmcofd') }
- Chrome enterprise/ADMX-managed environments: Query extension policy logs for installations of the listed IDs.
- Network / Proxy logs: Search for connections to `phantomshuttle.space` or to IP `47.244.125.55`.
index=network (host="*" OR sourcetype=proxy_logs) (dest_host="phantomshuttle.space" OR dest_ip="47.244.125.55") | stats count by src_ip, dest_host, dest_ip
- Web proxy / HTTP logs: Hunt for Basic Auth headers using `topfany` or suspicious Authorization header patterns:
- Look for `Authorization` values that decode to `topfany:963852wei`.
- Browser telemetry: Detect `chrome.proxy.settings.set` usage anomalies and PAC script injections in chrome extension directories.
- File scanning / YARA: match presence of strings `tjp` / `jerry(` and the encoded `P_x`/`P_y` markers within extension JS files.
- Defanged YARA (safe, high-level):
rule Phantom_Shuttle_JS_Pattern {
strings:
$s1 = "function jerry(" ascii
$s2 = "P_x = " ascii
$s3 = "P_y = " ascii
condition:
all of them
}
SIEM & log sources to prioritize
- Proxy logs (Squid, Palo Alto, Blue Coat)
- Web gateway logs (Zscaler, Cisco Umbrella)
- EDR telemetry for Chrome user profile directories
- Enterprise Chrome management logs
- Cloud console access logs (for accounts that may have been accessed while extension was active)
Mitigation & Remediation
Immediate (0–24 hrs)
- Remove the two extension IDs from managed devices and instruct users to uninstall via policy. (Block by extension ID in Chrome Enterprise).
- Block network traffic to `phantomshuttle.space` and IP `47.244.125.55` at network perimeter and proxy.
- Force password resets for any accounts accessed via browser while the extension was installed — prioritize cloud consoles, code repositories, and identity providers. Revoke session tokens and OAuth grants where feasible.
- Rotate API keys and service credentials that might have been used in browser sessions.
Short term (24–72 hrs)
- Roll out EDR rules to detect and delete the extension package on endpoints.
- Reissue and rotate service credentials (API tokens) and enforce MFA for privileged accounts.
- Use browser telemetry to inventory which users/devices saw PAC changes or installed these extensions.
Medium term (1–6 weeks)
- Enforce extension whitelisting in Chrome Enterprise policies; block `webRequestAuthProvider`, `proxy`, and `management` permissions for consumer installs.
- Deploy network anomaly detection for unusual proxy-auth events and implement DLP on web traffic for sensitive form submissions.
- Add extension binary scanning into offline EDR/YARA workflows for earlier detection.
Risk Assessment
- Risk score: High — attacker-controlled proxy + credential harvesting affects identity, cloud resources, code repositories, and financial data.
- Affected verticals: Developers, cloud engineers, e-commerce, finance, and personnel working with foreign-trade tooling — especially China-facing teams targeted by the extension's marketing.
- CISO priorities: block extension IDs, force credential rotation for high-risk assets, and accelerate extension governance policy.
When the authentication layer moves outside your perimeter without raising alerts, compromise stops looking like an incident and starts looking like normal traffic.