Phantom Shuttle malicious Chrome extensions credential theft
Malware Activity
Summary
Hide ▲
Show ▼
Phantom Shuttle is a pair of malicious Google Chrome extensions that now intercept traffic, inject proxy credentials, and exfiltrate browsing data through attacker-controlled C2 infrastructure. The operation affects users visiting 170+ targeted domains and can steal passwords, cookies, API keys, access tokens, and form data. The extensions remain available as of publication, keeping the theft and traffic-manipulation risk active.
Related Happenings
Silent Swap browser-extension clipboard clipper
Malware Activity
H score36
First: 30.06.2026 18:40
Last: 30.06.2026 18:40
Sources 1
About this happening:
The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Silent Swap browser-extension clipboard clipper
Malware ActivityAbout this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...
Search for perplexity ai malicious Chrome extension
Malware Activity
H score29
First: 29.06.2026 21:40
Last: 29.06.2026 21:40
Sources 1
About this happening:
A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
Search for perplexity ai malicious Chrome extension
Malware ActivityAbout this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...
StegoAd malicious Edge extension operation
Malware Activity
H score19
First: 29.06.2026 11:32
Last: 29.06.2026 11:32
Sources 1
About this happening:
The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
StegoAd malicious Edge extension operation
Malware ActivityAbout this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor Meta
H score20
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions
Threat Actor MetaAbout this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...
Chrome extension PUP distribution network with fake organic traffic
Malware Activity
H score18
First: 15.06.2026 14:07
Last: 15.06.2026 14:07
Sources 1
About this happening:
A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Chrome extension PUP distribution network with fake organic traffic
Malware ActivityAbout this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...
Timeline
-
23.12.2025 16:42 1 articles · 6mo ago
Phantom Shuttle extension published on November 26, 2017
Untyped PhaseThe Phantom Shuttle Chrome extension with ID fbfldogmkadejddihifklefknmikncaj was published on November 26, 2017 and later appeared as one of the two extension variants linked to the traffic-interception operation, with the listing showing 2,000 users.
Show sources
- Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites — thehackernews.com — 23.12.2025 16:42
-
23.12.2025 16:42 1 articles · 6mo ago
Phantom Shuttle extension published on April 27, 2023
Untyped PhaseThe Phantom Shuttle Chrome extension with ID ocpcmfmiidofonkbodpdhgddhlcmcofd was published on April 27, 2023 and added a newer variant to the same extension family, with the listing showing 180 users.
Show sources
- Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites — thehackernews.com — 23.12.2025 16:42
-
23.12.2025 16:42 2 articles · 6mo ago
Researchers identify malicious Phantom Shuttle Chrome extensions
Initial DisclosureCybersecurity researchers identified two malicious Google Chrome extensions named Phantom Shuttle that were published by the same developer, impersonated a network speed test and VPN service, injected hard-coded proxy credentials, and used man-in-the-middle proxies plus a C2 heartbeat to intercept traffic and capture user credentials.
Show sources
- Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites — thehackernews.com — 23.12.2025 16:42
- Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Sites — thehackernews.com — 23.12.2025 16:42