{"id":28295,"date":"2025-12-02T15:32:51","date_gmt":"2025-12-02T15:32:51","guid":{"rendered":"http:\/\/localhost\/?p=28295"},"modified":"2025-12-02T15:32:51","modified_gmt":"2025-12-02T15:32:51","slug":"sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=28295","title":{"rendered":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06"},"content":{"rendered":"

{“lastseen”:”2025-12-02T18:05:12″,”description”:”Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed on roughly 4.3 million Chrome and Edge users\u2019 devices suddenly went rogue. Now they can track what you browse and run malicious code inside your browser.\\n\\nThe researchers found five extensions that operated cleanly for years before being weaponized in mid-2024. The developers earned trust, built up millions of installs, and even collected \u201cFeatured\u201d or \u201cVerified\u201d status in the Chrome and Edge stores. Then they pushed silent updates that turned these add-ons into spyware and malware.\\n\\nThe extensions turned into a remote code execution framework. They could download and run malicious JavaScript inside the browser and collect information about visited sites and the user\u2019s browser, sending it all back to attackers believed to be based in China.\\n\\nOne of the most prevalent of these extensions is WeTab, with around three million installs on Edge. It acts as spyware by streaming visited URLs, search queries, and other data in real time. The researchers note that while Google has removed the extensions, the Edge store versions are still available.\\n\\nPlaying the long game is not something cybercriminals usually have the time or patience for. \\n\\nThe researchers attributed the campaign to the ShadyPanda group, which has been active since at least 2018 and launched their first campaign in 2023. That was a simpler case of affiliate fraud, inserting affiliate tracking codes into users’ shopping clicks.\\n\\nWhat the group did learn from that campaign was that they could get away with deploying malicious updates to existing extensions. Google vets new extensions carefully, but updates don\u2019t get the same attention. \\n\\nIt’s not the first time we’ve seen this behavior, but waiting for years is exceptional. When an extension has been available in the web store for a while, cybercriminals can insert malicious code through updates to the extension. Some researchers refer to the clean extensions as \u201csleeper agents\u201d that sit quietly for years before switching to malicious behavior.\\n\\nThis new campaign is far more dangerous. Every infected browser runs a remote code execution framework. Every hour, it checks `api.extensionplay[.]com` for new instructions, downloads arbitrary JavaScript, and executes it with full browser API access.\\n\\n## How to find malicious extensions manually\\n\\nThe researchers at Koi shared a long list of Chrome and Edge extension IDs linked to this campaign. You can check if you have these extensions in your browser:\\n\\n**In Chrome**\\n\\n 1. Open Google Chrome.\\n 2. In the address bar at the top, type **chrome:\/\/extensions\/** and press **Enter**.\u200b This opens the Extensions page, which shows all extensions installed in your browser.\u200b\\n 3. At the top right of this page, turn on **Developer mode**.\\n 4. Now each extension card will show an extra line with its **ID.** \u200b\\n 5. Press **Ctrl+F** (or **Cmd+F** on Mac) to open the search box and paste the ID you\u2019re checking (e.g. `eagiakjmjnblliacokhcalebgnhellfi`) into the search box.\\n\\n\\n\\nIf the page scrolls to an extension and highlights the ID, it’s installed. If it says _No results found_ , it isn’t in that Chrome profile.\u200b\\n\\nIf you see that ID under an extension, it means that particular add\u2011on is installed for the current Chrome profile.\u200b\\n\\nTo remove it, click **Remove** on that extension\u2019s card on the same page.\\n\\n**In Edge**\\n\\nSince Edge is a Chromium browser the steps are the same, just go to **edge:\/\/extensions\/** instead.\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2025-12-02T17:49:51″,”modified”:”2025-12-02T17:49:51″,”type”:”malwarebytes”,”title”:”\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices”,”source”:””,”references”:””,”id”:”MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2025\/12\/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-12-02T18:05:12″,”description”:”Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-28295","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=28295\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-12-02T18:05:12″,”description”:”Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=28295\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-12-02T15:32:51+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06\",\"datePublished\":\"2025-12-02T15:32:51+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295\"},\"wordCount\":758,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"exploit\",\"malwarebytes\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28295#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295\",\"name\":\"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-12-02T15:32:51+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=28295\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=28295#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=28295","og_locale":"en_US","og_type":"article","og_title":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem","og_description":"{“lastseen”:”2025-12-02T18:05:12″,”description”:”Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed...","og_url":"https:\/\/zero.redgem.net\/?p=28295","og_site_name":"zero redgem","article_published_time":"2025-12-02T15:32:51+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=28295#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=28295"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06","datePublished":"2025-12-02T15:32:51+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=28295"},"wordCount":758,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","exploit","malwarebytes","news","NONE","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=28295#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=28295","url":"https:\/\/zero.redgem.net\/?p=28295","name":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-12-02T15:32:51+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=28295#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=28295"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=28295#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\u201cSleeper\u201d browser extensions woke up as spyware on 4 million devices_MALWAREBYTES:4BFBE49E7F19305A106D3508B5630C06"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28295"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/28295\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}