Today’s Topics:
- Chrome Extensions Found Stealing Credentials from Users Across 170+ Websites
- DarkSpectre Browser Extension Operation Exposed After Affecting 8.8 Million Users Across Major Browsers
- How can Netizen help?
Chrome Extensions Found Stealing Credentials from Users Across 170+ Websites
Security researchers have uncovered two malicious Google Chrome extensions masquerading as a legitimate network speed-testing tool while secretly intercepting traffic and harvesting user credentials. Both extensions, named Phantom Shuttle and published by the same developer, continue to remain available for download in the Chrome Web Store.
The extensions market themselves as a “multi-location network speed test plug-in” targeted at developers and international trade professionals. Users are prompted to purchase a paid subscription tier ranging from approximately ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) under the assumption they are gaining access to a premium VPN-like service. In reality, both extensions include hidden functionality that enables full authentication credential injection, traffic interception, and ongoing data exfiltration to an attacker-controlled server.
Researchers identified two variants:
Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) — ~2,000 users
Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) — ~180 users
Both versions appear legitimate on the surface. They perform actual proxy latency testing and display connection status to reinforce the illusion of a functioning service. After payment, users receive “VIP” status and the extension automatically activates a proxy mode called “smarty,” routing traffic from more than 170 targeted domains through the attacker’s infrastructure.
These domains span developer platforms, cloud environments, enterprise systems, social media, and adult sites. That mix signals both credential theft and potential coercion risk.
The malicious activity is embedded in modified JavaScript libraries packaged with the extension. The injected code registers a listener for Chrome’s authentication request handler and automatically replies to every HTTP authentication challenge with hard-coded proxy credentials:
Username: topfany
Password: 963852wei
Because the listener runs before the user ever sees a login prompt, the credential injection remains invisible.
Once authenticated, the extension updates Chrome’s proxy settings using a PAC script that:
• Disables proxy use
• Forces all traffic through the proxy
• Routes only specific high-value domains through the proxy
The last mode is used to quietly monitor sensitive activity including developer portals, cloud dashboards, financial systems, and social networks.
While users browse normally, the extension maintains a 60-second heartbeat with its command-and-control server hosted at phantomshuttle[.]space, a domain still online. Every five minutes, the extension transmits the user’s subscription email address and plaintext password back to the attacker, along with version and status metadata.
This gives the operator both live access via man-in-the-middle positioning and persistent account takeover capability through credential harvesting.
Because the proxy sits between the user and the destination system, the operator gains visibility into nearly everything transmitted across those sessions. That includes:
- Passwords
- Authentication cookies
- Credit card numbers
- Form submissions
- API keys
- Developer tokens
- Browsing history
For developers and cloud administrators, the exposure extends to code repositories, infrastructure secrets, and platform credentials. That increases the risk of secondary compromise and supply chain incidents.
The campaign appears to have been operating for years. Notable signals include:
- Use of Chinese-language descriptions
- Support for Alipay and WeChat payment processing
- Alibaba Cloud-hosted infrastructure
- Subscription-based retention model
The professional payment integration lends the appearance of legitimacy while generating recurring revenue from victims.
A malicious extension with proxy privileges effectively bypasses:
- MFA protections tied to session cookies
- Zero-trust enforcement applied downstream
- Network-based inspection controls
Once installed, the attacker sits inside the session boundary.
Users should immediately uninstall Phantom Shuttle extensions and rotate any credentials that may have been exposed. Because authentication cookies and session tokens may already be compromised, a full re-authentication cycle is necessary.
Security teams should move toward stricter browser extension governance. Priority controls include:
- Extension allow-listing instead of open installation
- Monitoring for extensions requesting proxy or authentication permissions
- Alerting on unexpected proxy authentication flows
- Blocking browser extensions that require embedded subscription payments
DarkSpectre Browser Extension Operation Exposed After Affecting 8.8 Million Users Across Major Browsers
Security researchers have exposed a long running series of malicious browser extension operations linked to a Chinese threat actor known as DarkSpectre. Over a period of more than seven years, these campaigns have quietly affected more than 8.8 million users worldwide across Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera. The findings come from Koi Security, which has attributed three major browser extension campaigns to the same operator. These include ShadyPanda, GhostPoster, and a newly identified effort referred to as The Zoom Stealer. Together, these campaigns enabled data theft, affiliate and ad fraud, traffic manipulation, and the collection of sensitive corporate intelligence, all while posing as legitimate browser utilities.
The ShadyPanda operation was the first campaign linked to DarkSpectre. It targeted users across multiple browsers with extensions that intercepted search queries, injected code into browsing sessions, and harvested data while also redirecting traffic to affiliate services for financial gain. Koi Security estimates that about 5.6 million users were impacted, including more than one million newly identified victims whose browsers were running over one hundred extensions tied to the same coordinated activity. Some of the extensions included time delayed activation routines so that the malicious behavior would only begin several days after installation. This was likely done to pass extension store review processes. In other cases, extensions remained benign for more than five years to build a user base and reputation before malicious updates were pushed. Nine extensions tied to the activity remain active, while eighty five more have been identified as dormant but potentially dangerous once weaponized.
GhostPoster represented the second campaign in the cluster. This operation focused mainly on Firefox users and distributed simple browser utilities such as VPN tools and translation add-ons. Behind the scenes, these extensions injected JavaScript designed to hijack affiliate links, manipulate tracking identifiers, and enable fraud involving advertising and partner referral programs. One Opera extension posing as a Google Translate tool accumulated nearly one million installs before the activity was uncovered. The apparent usefulness of the extensions helped them gain trust, reviews, and long term adoption, which increased their ability to operate quietly.
The third DarkSpectre campaign identified by Koi Security is known as The Zoom Stealer. This effort relied on eighteen browser extensions that mimicked tools for major videoconferencing platforms including Zoom, Google Meet, Microsoft Teams, and GoToWebinar. The extensions performed many of the functions users expected, such as downloading recordings or enhancing meeting controls, but they also silently collected sensitive corporate meeting data in real time. The data harvested included meeting links, embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration details. The extensions also captured information about hosts and speakers, including names, job titles, biographies, profile photos, and company affiliations. This information was exfiltrated using WebSocket connections that allowed continuous monitoring without alerting the user.
In many cases, the extensions requested permissions for more than twenty eight conferencing platforms, even when those permissions were unnecessary for the advertised purpose. The result was a surveillance layer positioned directly inside the browser session. According to Koi researchers, this activity cannot be dismissed as routine advertising fraud. Instead, it represents a form of systematic collection of corporate communication intelligence. Users received the features they expected and left positive reviews, which made the extensions appear trustworthy. Meanwhile, data was being gathered in the background for potential resale or use in social engineering and impersonation campaigns.
The scale of the campaigns has broad implications. Millions of users across enterprise environments were affected, including developers, executives, and operational staff. Meeting invitation data alone reveals internal project discussions, vendor relationships, product planning, leadership structure, and supply chain coordination. That information can be leveraged for business email compromise, credential harvesting, targeted phishing, and espionage. The aggregation of meeting data and identity information significantly increases organizational risk.
Attribution indicators point toward China based operators. These signals include the use of Alibaba Cloud to host infrastructure, domain registrations tied to Chinese provinces, embedded code comments written in Chinese, and fraud patterns focused on Chinese e commerce platforms such as JD.com and Taobao. The overall operation has been named DarkSpectre by researchers to describe both its persistence strategy and its surveillance focused activity. The campaigns relied heavily on building trust over time. Extensions were first introduced as useful and legitimate tools. They gained positive reviews, accumulated user counts, and often received recommended status within extension stores. Only after that trust was established were malicious updates pushed or surveillance components enabled.
Koi Security has warned that DarkSpectre likely still maintains a pipeline of extensions that appear benign today but may be altered in future updates. The infrastructure remains active, meaning the broader operation is ongoing rather than historical. For enterprises, the key lesson is that browser extensions now represent a high impact attack surface. They operate within the user session where identity, authentication tokens, payment information, and confidential data are present. Many extensions also request wide ranging permissions that allow them to modify, inject, or forward data without detection by traditional endpoint controls.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
Netizen Blog and News 
You must be logged in to post a comment.