504/68 Wednesday, December 3, 2025
A recent report from Koi Security has revealed a long-running cyber operation spanning over seven years, in which a threat group known as ShadyPanda turned popular and legitimate-looking browser extensions into spyware tools, with a combined total of over 4.3 million installations. High-profile examples include the well-known extension Clean Master, previously validated as safe by Google, and WeTab on Microsoft Edge, which reached 3 million downloads. The attackers’ strategy was to allow the extensions to function normally at first to build a user base, and then push malicious updates containing harmful code in mid-2024.
The alarming capability of this malware lies in its remote command execution, where every hour the extensions secretly connect to a command-and-control server to receive new instructions and exfiltrate data-without user awareness. The spyware captured browsing history, search queries, mouse clicks, and cookies, enabling account hijacking. Investigators also found affiliate fraud, where the extensions injected tracking scripts when users visited shopping sites like eBay or Amazon. Additionally, the malware was designed to self-terminate immediately if it detected the browser’s Developer Tools, helping it evade analysis.
Experts say this incident exposes a serious weakness in automatic update mechanisms, as most app stores perform rigorous security checks only during the initial submission, but not after subsequent updates, making it easy for productivity tools to turn into surveillance tools.
Users who installed Clean Master, WeTab, or other suspicious extensions are strongly advised to remove them immediately and change passwords for all sensitive online accounts to minimize potential damage.
Source https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html
