Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phantom Shuttle Chrome extension traffic-hijacking activity

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Phantom Shuttle Chrome extensions remain available in the Chrome Web Store and are actively hijacking user traffic to steal credentials, cookies, tokens, and personal data from users in China. The extensions pose as proxy-service tools, but they route traffic through attacker-controlled proxies and silently intercept sensitive activity. Their continued presence matters because the malicious code can exfiltrate high-value account data from installed browsers.

Related Happenings

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Chrome extension campaign

Campaign
First: 14.04.2026 14:30 Last: 14.04.2026 14:30 Sources 1

About this happening: A **large-scale campaign** of **108 malicious Chrome extensions** exposed roughly **20,000 users** to **session hijacking** and data theft through a shared **C2 infrastructure**.

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

QuickLens and ShotBird malicious Chrome extension update chain

Malware Activity
First: 09.03.2026 12:28 Last: 09.03.2026 12:28 Sources 1

About this happening: The **QuickLens** and **ShotBird** Chrome extensions have become **malicious after ownership transfer**, turning trusted add-ons into a delivery path for code injection and data t...

Open Happening

Timeline

  1. 23.12.2025 15:31 2 articles · 5mo ago

    Phantom Shuttle Chrome extensions disclosed as traffic-hijacking tools

    Initial Disclosure

    Researchers at Socket identified two Chrome Web Store extensions named Phantom Shuttle that masquerade as proxy and network-speed tools for users in China while routing user web traffic through attacker-controlled proxies to steal credentials, card details, passwords, session cookies, and API tokens. The extensions were still present in Chrome's official marketplace and had been active since at least 2017.

    Show sources
    Open in new tab