Sleeper Agent
Malware is usually a short form game. Get in, deliver the payload, create profit for the threat actor. Obfuscation and evasion from security are part and parcel of malicious activity. It’s all for nothing if one gets caught, after all. But evidently, that brevity is not always the case. Koi researchers have uncovered a long, long campaign targeting Microsoft’s Chrome and Edge browsers. Dubbed ‘ShadyPanda’, this attack has been ongoing for seven years, spanning multiple generations of updates and operating systems.
It began with a handful of extensions offered as productivity tools, slowly amassing downloads and use, gaining Verified and even Featured status. And there, those extensions waited. Collating data the way any analytical tool would. Monitoring traffic, watching patterns emerge, collecting keystrokes, histories, even mouse clicks accurate down to pixel sized coordinates. As Koi put it, this wasn’t a fixed function malware; it was creating a backdoor. One that accumulated hundreds of thousands of installations. The key to the success of this covert intrusion was trust. Years of seemingly legitimate – and therefore harmless – activity garnered from initial approval that was never followed up on to make sure it was still behaving properly. Due to its verified status, it became part of the automatic update schedule, a persistence tactic with no action required from it.
But this was just one phase of this campaign. ShadyPanda tested the waters in 2023, with 145 extensions mimicking wallpaper and productivity apps. Every click inserted tracking codes and used Google’s own analytics to monetize browsing data. This was direct affiliate fraud. ShadyPanda learned some things from this campaign: the review process focused solely on submission and not continuing activity, how to gain trust from users, and that patience pays off.
The next phase of the campaign went from covert monetization to active control. In early 2024, the malware began hijacking core functionality in the browser. Links were redirected, cookies were exfiltrated. This was an asynchronous attack, meaning it did not require human oversight to execute. This phase did not last long. Corrupted extensions were discovered and removed within weeks of deployment.
But ShadyPanda had been quietly gathering all this data in order to unleash the main event: pushing the active malware now that it had been verified and trusted. The five extensions first submitted and approved back in 2018-19 now carried the same payload, automatically updated by Chrome and Edge themselves. Utilizing its asynchronous nature, the malware runs a remote code extension every hour in infected systems, via arbitrary JavaScript to execute with full API access in the browser. This is the backdoor it’s been all along.
Currently, the payload monitors every website visit and exfiltrates encrypted data to ShadyPanda's servers, including each URL visited with full browsing history, HTTP referrers showing navigation patterns, timestamps, complete browser fingerprints (language, platform, timezone, screen resolution, user agent) and more. All of this is delivered to the CleanMaster store, the extension most known for carrying the malware. It exhibits both anti-analysis evasion (reverting to ‘legitimate’ behavior if developer tools are opened) and man-in-the-middle attacking.
And this still isn’t all ShadyPanda is doing. Other extensions were released in 2023, all of which are still active in Microsoft’s marketplace. Two are known to be spyware, and one of them (We Tab) has over 3 million downloads alone. We Tab collects and exfiltrates data to 17 separate domains, most of which are in China.
This is a sophisticated, muli-layered campaign, leveraging a long standing vulnerability inherent in any app store: trust. A single threat actor (that we know of) has compiled extensive amounts of data on millions of users on a global scale to use however they want. Koi is confident that this is the work of one overarching malware; code signing similarities, overlapping infrastructure and identical obfuscation techniques evolving over time link these attacks together.
Details of the apps, coding and commands are laid out in Koi’s article (which I’ve linked above). This is a sign that app stores need to not only check submissions for fraudulent behavior, but also check in from time to time to make sure they’re still safe.
Posted on LinkedIn, 12/2/25










