Security researchers from Koi Security have uncovered a coordinated malware campaign involving 18 browser extensions available for download on Google Chrome and Microsoft Edge. These malicious extensions are disguised as everyday utilities—such as emoji keyboards, video speed tools, VPNs for Discord and TikTok, dark modes, and volume boosters—but secretly engage in browser hijacking and surveillance.

To date, over 2.3 million users have unknowingly installed these extensions.

Trusted, Featured… and Malicious

Despite their malicious behavior, many of these extensions were verified by Google and Microsoft or even featured in their respective extension stores, giving users a false sense of security.

While each extension appears to have a separate origin—complete with distinct command-and-control (C2) subdomains—researchers found that they all link back to a single coordinated threat operation, now dubbed RedDirection.

From Useful Tools to Malware Delivery

One of the first extensions flagged was Color Picker, Eyedropper — Geco colorpick, which had amassed over 100,000 installs and hundreds of positive reviews. While it initially provided a legitimate color-picking service, later updates included a stealthy backdoor, allowing attackers to track every website visited by users.

This bait-and-switch method was a recurring pattern. The RedDirection campaign avoided detection by first releasing clean versions, then injecting malicious code through updates, sometimes years after the original release. These changes happened without user interaction, bypassing manual approval.

What the Malware Does

Once active, the malicious code within these extensions can:

• Capture and log URLs visited by users
• Send data to external C2 servers along with unique user tracking IDs
• Receive instructions to redirect users to malicious or monetized pages
• Automatically execute redirections when prompted

This campaign highlights a growing challenge in browser security, as cybercriminals exploit trust signals like verification badges and featured listings to gain widespread access to devices.

What Users Should Do Now

If you’re using Chrome or Edge and suspect one of these extensions is installed:

• Remove it immediately
• Clear your browser data, including cookies and cached files
• Run a full malware scan on your system
• Monitor sensitive accounts for unusual activity, especially if you’ve logged into banking, government, or corporate platforms

Koi Security has reported its findings to both Google and Microsoft, but at the time of writing, neither company had issued a public response.

At Nubetia, we help individuals and businesses stay one step ahead of evolving threats. Want to know if your extensions are safe? Contact our cybersecurity team.

Source: https://www.infosecurity-magazine.com/news/18-malicious-chrome-edge-extensions/