ShadyPanda - The Silent Browser Takeover Threat and How Qualys TruRisk Eliminate Helps You Stop It

ShadyPanda has exploited trusted browser extensions to compromise millions of users, illustrating how legitimate software can unexpectedly become harmful. Between 2024 and 2025, one threat actor exploited this trusted ecosystem to create a massive covert malware delivery mechanism that organizations can no longer ignore. ShadyPanda exploited a widespread misconception: If an extension is verified, widely used, and looks safe, it must be trustworthy.

Unlike traditional cyberattacks that rely on phishing or zero-day vulnerabilities, ShadyPanda has established an operation built on patience, legitimacy, and a carefully crafted reputation. The group exploits trust within the browser extension ecosystem rather than targeting software flaws. Researchers have uncovered that ShadyPanda has been executing long-term browser supply chain attacks since 2018 by publishing seemingly harmless extensions. These include wallpapers, utilities, and new-tab tools designed to integrate seamlessly into everyday browser use while amassing high installation counts, positive user ratings, and a trusted status in the marketplace.

Once this trust was firmly established, ShadyPanda cleverly weaponized these extensions through updates, turning them into covert malware delivery mechanisms. These malicious updates enabled remote code execution (RCE) backdoors and large-scale spyware operations without raising traditional security alarms. Extensions such as Clean Master were operated legitimately for years to build a substantial user base across Chrome and Edge. Researchers estimate that more than 4.3 million users across both browsers were affected, underscoring the scale of the campaign. This was not opportunistic malware; it represented an infrastructure-level compromise of the browser ecosystem itself. These malicious extensions are actively harvesting a wide range of sensitive browser data, including: Browsing Activity, User Input and Search, Device Fingerprinting, Behavioral Biometrics, Identity & Storage. This level of access empowers attackers to profile users, hijack sessions, and potentially infiltrate enterprise environments.

ShadyPanda exposes a critical shift in attacker strategy: weaponizing trusted software to infiltrate environments silently. Defending modern enterprises requires more than patching vulnerabilities. It demands behavioral intelligence and proactive risk elimination. To mitigate such threats, organizations should automatically deploy the latest Chrome Stable and Edge Stable updates to effectively close exploited CVEs leveraged by malicious extensions. Additionally, decisive scripts should be deployed to detect and remove any non-default or unauthorized Chrome/Edge extensions. This includes identifying all installed extensions, comparing them rigorously against an approved extension list, and eliminating any untrusted or malicious extensions without hesitation. Furthermore, organizations can remove all passwords stored in Chrome, Edge, or Firefox directly using PowerShell.

To read the complete article see: https://blog.qualys.com/product-tech/patch-management/2025/12/17/shadypanda-malicious-browser-extensions-prevention