4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
Essential information
- Published
- 03/12/2025 20:19
- Modified
- 21/12/2025 18:23
- Tags
- 2025-12-03 browser extension chrome clean master data exfiltration edge infinity v+ malware campaign rce backdoor spyware trust exploitation wetab
- Related entities
- 1 intrusion sets (apt), 20 techniques (mitre), 3 malware, 9 others
Description
A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. The actor's strategy evolved from simple affiliate fraud to sophisticated browser control and long-term trust building. The malware collects extensive user data, including browsing history, search queries, and mouse clicks, transmitting it to servers in China. The success of this campaign highlights vulnerabilities in browser marketplace security models and the potential for widespread exploitation through trusted update mechanisms.