Find notable cyber news and cases, enriched with sources, timelines, and signals.

Phantom Shuttle malicious Chrome extensions credential theft

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Phantom Shuttle is a pair of malicious Google Chrome extensions that now intercept traffic, inject proxy credentials, and exfiltrate browsing data through attacker-controlled C2 infrastructure. The operation affects users visiting 170+ targeted domains and can steal passwords, cookies, API keys, access tokens, and form data. The extensions remain available as of publication, keeping the theft and traffic-manipulation risk active.

Related Happenings

Silent Swap browser-extension clipboard clipper

Malware Activity
H score36 First: 30.06.2026 18:40 Last: 30.06.2026 18:40 Sources 1

About this happening: The **Silent Swap** malware activity now **installs malicious Chromium extensions** that intercept copied wallet addresses and **reroute cryptocurrency transfers** to attacker-con...

Search for perplexity ai malicious Chrome extension

Malware Activity
H score29 First: 29.06.2026 21:40 Last: 29.06.2026 21:40 Sources 1

About this happening: A malicious **Chrome extension** named **Search for perplexity ai** impersonated **Perplexity AI** while **intercepting search traffic** and collecting **browsing information** th...

StegoAd malicious Edge extension operation

Malware Activity
H score19 First: 29.06.2026 11:32 Last: 29.06.2026 11:32 Sources 1

About this happening: The **StegoAd** operation was removed from the **Edge Add-ons store** after hiding payloads in images and fonts, stealing credentials, and driving **ad fraud** across installs tha...

Commercial adware and traffic-attribution-fraud affiliate operation using Chrome extensions

Threat Actor Meta
H score20 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: Researchers found a **commercial adware** and **traffic-attribution-fraud affiliate operation** abusing **Chrome extensions** to fabricate traffic signals and monetize installs, i...

Chrome extension PUP distribution network with fake organic traffic

Malware Activity
H score18 First: 15.06.2026 14:07 Last: 15.06.2026 14:07 Sources 1

About this happening: A network of **152 Google Chrome extensions** is distributing a **potentially unwanted program (PUP) family** through new-tab live-wallpaper add-ons, creating a broad browser-base...

Timeline

  1. 23.12.2025 16:42 1 articles · 6mo ago

    Phantom Shuttle extension published on November 26, 2017

    Untyped Phase

    The Phantom Shuttle Chrome extension with ID fbfldogmkadejddihifklefknmikncaj was published on November 26, 2017 and later appeared as one of the two extension variants linked to the traffic-interception operation, with the listing showing 2,000 users.

    Show sources
  2. 23.12.2025 16:42 2 articles · 6mo ago

    Researchers identify malicious Phantom Shuttle Chrome extensions

    Initial Disclosure

    Cybersecurity researchers identified two malicious Google Chrome extensions named Phantom Shuttle that were published by the same developer, impersonated a network speed test and VPN service, injected hard-coded proxy credentials, and used man-in-the-middle proxies plus a C2 heartbeat to intercept traffic and capture user credentials.

    Show sources