A widespread browser hijacking campaign has infected over 2.3 million users through 18 malicious extensions available on Google Chrome and Microsoft Edge.
Dubbed “RedDirection” by researchers at Koi Security, the operation exploited trust indicators such as verified badges, high ratings, and featured placement to remain undetected across both browser ecosystems.
Koi researchers described the operation as one of the largest browser-based malware campaigns they have seen to date.
Among the extensions identified, “Color Picker, Eyedropper — Geco colorpick” stood out with more than 100,000 installs, over 800 positive reviews, and verified status in the Chrome Web Store. Despite its legitimate appearance and functional user interface, the extension was found to be capturing browsing activity and sending data to remote servers.
Other extensions offered varied functionality — from emoji keyboards and weather forecasts to VPN proxies, dark themes, and volume boosters — but all contained similar surveillance and hijacking capabilities hidden in their code.
“This isn’t some obvious scam extension thrown together in a weekend,” Idan Dardikman, researcher at Koi Security, said in a blog post about the malware-infested extension. “This is a carefully crafted trojan horse that delivers exactly what it promises, while simultaneously hijacking your browser, tracking every website you visit, and maintaining a persistent command and control backdoor.”
Malicious code deployed through extension updates
Koi researchers found that most of the malicious extensions were not harmful at the time of initial publication. Instead, they became dangerous later through version updates, a technique that allowed them to operate undetected for long periods.
“Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently for over 2.3 million users across both platforms — most of whom never clicked anything,” Dardikman said in the post.
The researchers said the incident highlights the risks of supply chain compromise within browser ecosystems. “The very mechanisms meant to ensure user safety — verified status, featured placement, seamless updates — ended up amplifying the malware’s reach,” he added.
Arjun Chauhan, practice director at Everest Group, said the campaign reflects a shift in attacker strategy. “Unlike traditional supply chain attacks that target backend systems, this campaign infiltrated the very tools users trust daily — their browser extensions. The delayed activation of malicious code underscores a critical gap in enterprise security models.”
He noted that initial vetting is no longer enough. “Organizations must implement continuous monitoring of browser extensions, enforce strict permission controls, and educate employees about the risks associated with seemingly trustworthy tools. Adopting a zero-trust approach to browser extensions is now imperative.”
Browser hijacking and phishing risks
According to their research, the malicious code was embedded in each extension’s background service worker and used browser APIs to monitor tab activity. Captured data, including URLs and unique tracking IDs, was sent to attacker-controlled servers, which in turn provided redirect instructions.
The setup enabled several attack scenarios, including redirection to phishing pages, banking credential theft using cloned login sites, and fake update prompts delivered through hijacked meeting invitations.
“With 2.3 million users under surveillance across 18 different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment,” said Dardikman.
Centralized infrastructure across platforms
The campaign spanned both Chrome and Edge, with each extension linked to its own command-and-control subdomain to create the appearance of separate actors. Researchers noted that all extensions were ultimately connected to a single coordinated network.
Several extensions had also gained featured or verified status in both marketplaces, raising further concerns about the platforms’ screening processes.
Koi Security recommends that affected users uninstall the extensions immediately, clear browser data to remove tracking identifiers, run a full malware scan, and monitor online accounts for unusual activity. A full review of installed extensions is also advised.
The known malicious extensions include “Color Picker, Eyedropper — Geco colorpick,” “VPN Proxy to Unblock Discord Anywhere,” “Emoji keyboard online — copy&paste your emoji,” “Free Weather Forecast,” “Unlock Discord,” “Dark Theme — Dark Reader for Chrome,” “Volume Max — Ultimate Sound Booster,” “Unblock TikTok — Seamless Access with One-Click Proxy,” “Unlock YouTube VPN,” “Unlock TikTok,” and “Weather.”
Marketplace gaps and long-term risks
The incident underscores systemic weaknesses in browser extension governance. Google and Microsoft’s verification processes failed to detect the malware, even as some of the extensions received promotional placement and trust badges.
“Attackers have successfully exploited every trust signal users rely on — verification badges, install counts, featured placement, years of legitimate operation, and positive reviews,” said Dardikman. “These credibility mechanisms were turned against the users.”
Chauhan added that platform-level changes are necessary. “Static analysis and manual reviews can’t keep up with today’s threats. To prevent similar campaigns, Google and Microsoft must invest in dynamic analysis, real-time extension monitoring, and more transparent update processes. Strengthening these areas is essential to restoring user trust.”
A broader security wake-up call
Researchers describe the campaign as a turning point for browser security. Rather than relying on quick-win attacks, threat actors behind RedDirection developed a patient, long-game infrastructure, allowing them to slip under detection for years before activating the malware.
The timing is also notable. The exposure of the campaign comes just days after MITRE added “IDE Extensions” as a new category in its ATT&CK framework, drawing attention to growing threats within third-party software ecosystems.
“If browser extensions that pass every trust test can flip into malware overnight, the security model for managing them needs to change,” Dardikman said in the blog post.
No Responses