Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phantom Shuttle malicious Chrome extensions credential theft

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Phantom Shuttle is a pair of malicious Google Chrome extensions that now intercept traffic, inject proxy credentials, and exfiltrate browsing data through attacker-controlled C2 infrastructure. The operation affects users visiting 170+ targeted domains and can steal passwords, cookies, API keys, access tokens, and form data. The extensions remain available as of publication, keeping the theft and traffic-manipulation risk active.

Related Happenings

Chrome Web Store malicious extensions coordinated campaign using shared C2

Campaign
First: 14.04.2026 23:33 Last: 14.04.2026 23:33 Sources 1

About this happening: A coordinated **Chrome Web Store** extension operation is stealing **Google OAuth2 Bearer tokens**, deploying **backdoors**, and running **ad fraud** across more than **100 malici...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Legitimate-looking Chrome extension prompt-poaching campaign

Campaign
First: 25.03.2026 13:00 Last: 25.03.2026 13:00 Sources 1

About this happening: A recurring **Chrome extension** campaign is stealing **AI conversations** from users, exposing prompts, answers, and other sensitive content to attacker-controlled servers. The a...

Open Happening

ShieldGuard browser-extension data-harvesting malware

Malware Activity
First: 18.03.2026 16:15 Last: 18.03.2026 16:15 Sources 1

About this happening: A malicious **ShieldGuard** browser extension was dismantled after it was found harvesting sensitive data from **crypto users**, putting wallet and account information at risk. Th...

Open Happening

Timeline

  1. 23.12.2025 16:42 1 articles · 5mo ago

    Phantom Shuttle extension published on November 26, 2017

    Untyped Phase

    The Phantom Shuttle Chrome extension with ID fbfldogmkadejddihifklefknmikncaj was published on November 26, 2017 and later appeared as one of the two extension variants linked to the traffic-interception operation, with the listing showing 2,000 users.

    Show sources
    Open in new tab
  3. 23.12.2025 16:42 2 articles · 5mo ago

    Researchers identify malicious Phantom Shuttle Chrome extensions

    Initial Disclosure

    Cybersecurity researchers identified two malicious Google Chrome extensions named Phantom Shuttle that were published by the same developer, impersonated a network speed test and VPN service, injected hard-coded proxy credentials, and used man-in-the-middle proxies plus a C2 heartbeat to intercept traffic and capture user credentials.

    Show sources
    Open in new tab