ShadyPanda is a long-running malicious browser extension campaign that weaponized seemingly legitimate productivity and wallpaper add-ons for Google Chrome and Microsoft Edge, mapped to MITRE ATT&CK techniques T1195 (Supply Chain Compromise), T1105 (Ingress Tool Transfer), and T1059 (Command and Scripting Interpreter). Over seven years, the operators published benign extensions, accumulated millions of installs, then pushed silent updates that added a remote-code-execution-capable backdoor and extensive surveillance features. One cluster of five extensions infected more than 300,000 users, while a later wave of five Edge extensions, including the WeTab productivity tool, amassed over four million installs and exfiltrated browsing data, search queries, cookies, and keystrokes to servers in China. Because extension marketplaces perform approvals primarily at submission time, the malicious functionality was introduced via version bumps that auto-updated across the entire user base, turning trusted productivity tools into spyware. The backdoor variants polled api.extensionplay[.]com every hour for new JavaScript payloads, enabling dynamic injection of malicious logic into any visited website, including HTTPS sessions. Earlier ShadyPanda campaigns also abused affiliate injection and browser hijacking—silently redirecting searches to trovi.com, logging keystrokes, and monetizing user traffic through injected tracking codes on e-commerce sites like Amazon, eBay, and Booking.com. For organizations, the impact extends beyond privacy loss: the RCE-capable extensions can steal authentication cookies, session tokens, and MFA bypass artifacts, potentially leading to account takeover of SaaS, cloud consoles, and internal portals. Exposure of detailed browsing histories and behavioral fingerprints also raises compliance concerns under GDPR and similar privacy regulations, particularly when employees access corporate systems from browsers with compromised extensions. Mitigation requires tightening extension governance: enterprises should restrict browser extensions to an allowlist of vetted publishers, monitor for risky permissions like access to all URLs and cookies, and deploy endpoint controls that detect anomalous extension update behavior. Users should be educated that high install counts and “Featured” badges do not guarantee safety, and security teams should hunt for ShadyPanda-related domains and extension IDs across managed fleets, removing malicious add-ons and invalidating sensitive sessions that may have been exposed.
🎯CORTEX Protocol Intelligence Assessment
Business Impact: ShadyPanda’s malicious browser extensions convert widely used Chrome and Edge installations into surveillance and backdoor platforms, enabling theft of session cookies, login credentials, and sensitive browsing data at scale. Organizations face elevated risks of SaaS account takeover, cloud console compromise, and regulatory exposure when employee browsing from corporate or BYOD devices is silently monitored and manipulated. Technical Context: The campaign leverages T1195 supply chain compromise by publishing legitimate extensions, then later pushing updates that introduce T1105-style backdoor code and T1059 JavaScript payload execution. Auto-updating extension mechanisms, broad permissions (all URLs, cookies), and weak post-approval monitoring in marketplaces allowed ShadyPanda to maintain long-term persistence and dynamically deliver malicious scripts to millions of browsers.
⚡Strategic Intelligence Guidance
- Implement enterprise browser management policies that enforce an approved extension allowlist and automatically remove extensions with excessive permissions or untrusted publishers.
- Deploy endpoint and browser telemetry to monitor extension installation and update events, alerting when new add-ons request access to all URLs, cookies, or scripting capabilities.
- Invalidate active sessions and rotate credentials for high-value SaaS and cloud platforms when ShadyPanda-related extensions are found on user devices, and review logs for suspicious activity.
- Engage with browser vendors and extension marketplaces to report malicious extensions promptly and integrate ShadyPanda indicators into security monitoring and threat hunting workflows.
Targets
Chrome usersEdge usersenterprise SaaS accounts