4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign

[nicolaasjan]

Content source

https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign

Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users.
Our investigation uncovered two active operations:
A 300,000-user RCE backdoor: Five extensions, including the "Featured" and "Verified" Clean Master, were weaponized in mid-2024 after years of legitimate operation. These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints.
A 4-million-user spyware operation: Five additional extensions from the same publisher, including WeTab with 3 million installs alone, are actively collecting every URL visited, search query, and mouse click - transmitting data to servers in China.
Some of ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. For seven years, this actor learned how to weaponize browser marketplaces - building trust, accumulating users, and striking through silent updates.

I've added these to my hosts file:

0.0.0.0 api.cgatgpt.net
0.0.0.0 cleanmasters.store
0.0.0.0 dergoodting.com
0.0.0.0 extensionplay.com
0.0.0.0 s-82923.gotocdn.com
0.0.0.0 s-85283.gotocdn.com
0.0.0.0 yearnnewtab.com

 

[Bot]

I've added these to my hosts file:

0.0.0.0 api.cgatgpt.net
0.0.0.0 cleanmasters.store
0.0.0.0 dergoodting.com
0.0.0.0 extensionplay.com
0.0.0.0 s-82923.gotocdn.com
0.0.0.0 s-85283.gotocdn.com
0.0.0.0 yearnnewtab.com

Blocking those domains in your hosts file is a reasonable hardening step, but if you ever had any of the affected extensions installed, you should treat this as a potential privacy compromise and clean up properly.

1. About your HOSTS entries
Those entries will stop your machine from resolving those domains, which helps if:

• You still (or previously) had one of the shady extensions installed
• Some leftover script or bookmark is trying to phone home

I can’t independently verify that this is a complete or up‑to‑date list of all ShadyPanda domains, but adding these specific ones is low‑risk. Just remember this only protects that particular device; other PCs/phones/browsers won’t be affected unless you repeat the change or use a DNS‑level blocker.

2. If you ever installed Clean Master, WeTab, etc.
HOSTS blocking alone is not enough if your browser was already compromised. Do the following:

1. Remove suspicious extensions immediately
   • Chrome: Menu → More tools → Extensions
   • Edge: Menu → Extensions → Manage extensions
   • Remove anything from the same publisher as the reported extensions, or any extension you don’t absolutely trust/recognize.
2. Turn off extension sync (temporarily)
   Otherwise the bad extension can get re‑installed from your Google/Microsoft account:
   • Chrome: Settings → Sync and Google services → Manage what you sync → Turn off Extensions (or pause sync entirely)
   • Edge: Settings → Profiles → Sync → Turn off Extensions
3. Clear browsing data and site storage
   • Clear cookies, cached images/files, and site data for at least the last 30 days (or longer if you’re worried).
4. Run a reputable security scan
   Use a well‑known AV/AM product already trusted on MalwareTips (e.g. Microsoft Defender, Kaspersky, ESET, Bitdefender, Malwarebytes, etc.).
   This won’t see “inside” extensions perfectly, but it can catch additional payloads or other changes.
   
5. Change passwords for important accounts
   Because these extensions logged URLs/searches and had full browser access, assume:
   • Any passwords saved or entered in the browser might have been exposed.
   • Start with email, banking, shopping, and any crypto/financial accounts.
   • Use unique strong passwords + enable 2FA where available.
6. Review account security
   • Google/Microsoft: Check “recent activity”, “devices”, and “third‑party access” pages.
   • Log out of unknown sessions and revoke suspicious third‑party app access.

3. Extra hardening you can consider

• Keep extensions to an absolute minimum – only those you truly need and from long‑established, reputable developers.
• Use a good content blocker (e.g. uBlock Origin) which can also block some third‑party calls, though it’s not a cure‑all.
• Network‑level blocking – if you have multiple devices, using something like NextDNS, AdGuard DNS, or Pi‑hole to block known C2/telemetry domains helps protect everything at once.
• Separate profiles – one browser/profile with no extensions for banking/email, another for general browsing where you keep your few trusted add‑ons.

4. If you’re unsure whether you were affected

• Check your browser’s extension history (anything installed from that publisher? Clean Master/WeTab/etc.?)
• If yes, follow the full cleanup steps above and treat it as a privacy incident.
• If no, your HOSTS entries are an extra safety net, but you’re likely fine.

If you share which browser(s) and extensions you currently use, I can help you go through them and suggest what’s safe to keep and what to remove or replace.

 

[TairikuOkami]

I actually used Clean Master for months before. No extension is safe from an abuse.

 

[Digmor Crusher]

I actually used Clean Master for months before. No extension is safe from an abuse.

Still got cash in your bank account?

 

[TairikuOkami]

Still got cash in your bank account?

Well, all minuses are still there.

 

[Wrecker4923]

I am a bit troubled by Koi's report of a "Mid-2024" malware version push, whose extensions were eventually removed from the store. I want to know a more specific time when the push occurred, if anyone reported on it, and when the extension stores removed the extensions.

Anyone with any more luck searching?

Although this one seems to be on the outlier side of things, it appears this patient approach will be or is a strategy for long-term threat actors (they even incorporated in the Marshall Islands). Besides minimizing extension use, especially on important accounts, there seems to be little I can do.

 

[nicolaasjan]

I am a bit troubled by Koi's report of a "Mid-2024" malware version push, whose extensions were eventually removed from the store. I want to know a more specific time when the push occurred, if anyone reported on it, and when the extension stores removed the extensions.

From the article:

And here's the problem: ALL 5 extensions are still live in the Microsoft Edge marketplace. Unlike Phase 3's removed extensions, this 4-million-user surveillance operation is active right now.

 

[Wrecker4923]

From the article:

You would be right about Phase 4's attacks, but the mid-2024 malware was part of Phase 3, which the article mentioned at the end of the section:

Even though the extensions were recently removed from marketplaces, the infrastructure for full-scale attacks remains deployed on all infected browsers.

And the beginning of Phase 4:

However, ShadyPanda's biggest operation wasn't Clean Master. The same publisher behind Clean Master in Edge - Starlab Technology - launched 5 additional extensions on Microsoft Edge around 2023, accumulating over 4 million combined installs.

which if the timeline were right, maybe nobody ever caught them on Phase 3.

 

[cartaphilus]

I've added these to my hosts file:

0.0.0.0 api.cgatgpt.net
0.0.0.0 cleanmasters.store
0.0.0.0 dergoodting.com
0.0.0.0 extensionplay.com
0.0.0.0 s-82923.gotocdn.com
0.0.0.0 s-85283.gotocdn.com
0.0.0.0 yearnnewtab.com

Now it's time for uBlock to go rogue and we have a winner.