Browser Extensions Malware Affects Millions Of Users
A ma
ssive browser hijacking campaign has hit millions of users by exploiting trusted Chrome and Edge extensions, according to a new Report.
Security researchers from Koi Security have uncovered a coordinated operation they have named RedDirection, in which 18 browser extensions, previously considered safe and even verified, were covertly updated to include harmful code.
These extensions offered functionality, received good reviews, touted verification badges, and some even enjoyed featured placement. But it transoires that after an extension has been available in the web store for a while, cyber criminals can insert malicious code through updates to the extension.
According to the Report, the affected extensions, which include tools for color picking, video control, emoji input, and VPN access, initially functioned as expected. Before turning malicious, one of the extensions had a Google verified badge, over 800 reviews, and a featured placement on the Chrome Web Store.
For many months the code remained clean, but after an update, they became malware infected without user interaction. “By analysing the command and control infrastructure and tracking similar code patterns, we uncovered what we’re calling the RedDirection campaign, a sophisticated cross-platform network of eighteen malicious extensions spanning both Chrome and Edge stores, all sharing the same hijacking functionality... Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we’ve documented,” says the Report.
Some of the extensions named in the Report had previously held a Google verification badge, hundreds of positive reviews, and even featured placement in the Chrome Web Store.
Their change into a malicious tool was not seen by users and has been undetected by platform security operations. Once updated, the extensions began to monitor browser activity in real-time. Every time a user opened a website, the extension captured the original URL and sent it, along with a unique identifier, to a remote command-and-control server. If instructed, the extension would then redirect the user to a phishing or malicious site, potentially stealing credentials or installing additional malware.
Importantly, the extensions retained full functionality, continuing to provide their advertised features. This dual behavior made detection by users unlikely and enabled attackers to exploit a large install base undisturbed.
Researchers highlighted that the malicious updates were distributed through the standard extension update process, with no phishing or user manipulation involved. As a result, even cautious users who installed only highly-rated, well-reviewed tools were exposed.
All 18 extensions have now been removed from the Chrome and Edge web stores, but some associated domains remain active. Koi Security has advised users to uninstall any of the listed extensions, clear browser data, run system-wide malware scans, and review all installed browser add-ons for suspicious activity.
Koi Security | I-HLS | MalwareBytes | Bleeping Computer | Cybernews | BrenTech
Image: Alex Shuper
You Might Also Read:
GitHub Exploited In Sophisticated Malware Campaign:
If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquiries: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible
