December 2, 2025
Don’t feed the Panda
4.3M Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign
Verified badges, silent updates, and a panda-sized backlash
TLDR: A long-trusted set of browser extensions quietly turned into spyware and a backdoor, affecting 4.3 million users. Comments rage over store trust badges, demand clear extension names, and clash with the developers’ “it’s just analytics” defense — a wake-up call about handing extensions too much power.
ShadyPanda didn’t just snoop — it staged a seven-year slow burn that hooked 4.3 million Chrome and Edge users, then flipped trusted extensions into spyware and a remote backdoor. The community is fuming, but split. One camp is stunned at how an extension can smuggle in its own code engine; as one commenter marveled, it’s like hiding a mini-computer in your toolbar. Another camp is side-eyeing Google’s “Featured/Verified” badges, accusing the stores of rubber-stamping trust for years while the panda sharpened its claws.
The drama boiled over when the WeTab/Infinity team responded (in Chinese), claiming Clean Master was sold and any data collection was opt-in analytics — a classic “it’s telemetry, not spying” defense. Skeptics aren’t buying it. Meanwhile, practical users begged for a clear list of affected extensions, grumbling that burying raw IDs at the bottom helps no one. The vibe: equal parts outrage and resignation, with jokes about “pandas are cute until they hijack your searches” and memes dubbing Google’s badge the Bamboo Seal of Approval.
Amid the humor, the stakes are serious: remote code execution (RCE — meaning they could run code on your browser) every hour, search hijacks via trovi.com, and click-by-click spying beamed overseas. One commenter summed it up: extensions have god-mode, and we keep handing them the keys.
Key Points
- •Koi attributes a seven-year browser extension campaign (“ShadyPanda”) impacting 4.3 million Chrome and Edge users.
- •Two active operations were found: a 300,000-user RCE backdoor and a 4-million-user spyware network.
- •Previously legitimate, Google-featured/verified extensions (e.g., Clean Master) were weaponized via silent updates in mid-2024.
- •Earlier phases included large-scale affiliate fraud (145 extensions in 2023) and search hijacking/cookie exfiltration (early 2024).
- •Data exfiltration included URLs, searches, clicks, cookies, and browser fingerprints, with traffic sent to domains such as trovi.com and servers in China.