The Silent Threat: How "Sleeper" Browser Extensions Spied on Millions

We frequently advise against downloading dubious files from unidentified sources in the field of cybersecurity. However, what happens if a reliable tool that you installed years ago and then forgot about poses a threat? After seven years of normal operation, a clever, long-game malware campaign that appeared to be legitimate browser extensions installed by over 4 million people "woke up" and became potent spyware, according to security researchers.

At least five extensions from the official Chrome and Edge web stores were used in this effort, which was linked to a threat organization known as ShadyPanda. These extensions gained user trust and "Featured" or "Verified" status, one of which is called "WeTab" and has almost three million installs. They performed as promised for years. Midway through 2024, these inert "sleeper agents" were weaponized through stealthy modifications that turned them into a framework for remote code execution.

The hacked extensions have terrifying access once they are launched. They have complete access to download and execute any harmful code within your browser. Every URL you visit, your search queries, and browser information are all actively gathered by them in real-time and streamed back to servers under the attackers' control.

How to Check Your Browser and Remove Threats

You can manually look for the particular extensions connected to this campaign if you use Chrome or Microsoft Edge. A list of their distinct IDs was supplied by the researchers.

• Within Google Chrome: Visit chrome://extensions/.

• Open Microsoft Edge and navigate to edge://extensions/.

Activate "Developer mode" in the upper right corner of the Extensions page. This will display the distinct ID for every extension. Then, you can search for a specific malicious ID, such as eagiakjmjnblliacokhcalebgnhellfi, by pressing Ctrl+F (or Cmd+F on a Mac). The malicious extension is installed if the ID is located and highlighted. Click "Remove" right away. These may still be on devices and in the Edge store even after Google has taken them out of its store.

Protecting Yourself from Future Threats

This attack takes use of a crucial flaw: although new extensions are thoroughly examined, their updates are frequently not. Adopt a minimalist approach to extensions to safeguard yourself; audit and delete those you no longer use on a regular basis. Extensions that ask for too many permissions should be avoided, and keep in mind that even well-known, "verified" programs might turn into dangers.

This issue highlights the necessity of multi-layered protection for enterprises that goes beyond basic antivirus software. In order to keep you secure online in a constantly changing threat landscape, we at Bayon Technologies Group assist people and businesses in putting proactive security measures into place, such as controlling software vulnerabilities and keeping an eye out for unusual network behavior.