Malicious Google Chrome Extensions: A Deep Dive into Cybersecurity Threats

Cybersecurity researchers have recently unveiled a concerning threat within the Google Chrome ecosystem—two malicious extensions that, under the guise of a legitimate tool, intercept user traffic and steal personal information. These extensions, both named “Phantom Shuttle” and developed by the same entity, present a significant risk to unsuspecting users who believe they are enhancing their online experience.

Overview of the Extensions

Details on Phantom Shuttle

The two variations of Phantom Shuttle are currently available for download, each showcasing different user bases:

• Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj): Approximately 2,000 users; published on November 26, 2017.
• Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd): Around 180 users; published on April 27, 2023.

These extensions are marketed as a “multi-location network speed test plug-in,” ostensibly tailored for developers and international traders. However, beneath this façade lies a malicious intent.

Subscription Model Deception

According to Socket security researcher Kush Pandya, users pay a subscription fee ranging from ¥9.9 to ¥95.9 CNY (about $1.40 to $13.50 USD), believing they are securing a legitimate Virtual Private Network (VPN) service. In reality, both extensions execute harmful actions, including traffic interception and credential theft.

Malicious Operations

Traffic Interception Techniques

After payment, users achieve “VIP status,” which automatically activates a so-called “smarty” proxy mode. This design routes traffic through over 170 targeted domains through a command-and-control (C2) infrastructure. Notably, the extensions cloak their true nature by performing actual latency tests and displaying connection statuses while stealthily capturing user credentials.

This operation hinges on two modified JavaScript libraries integrated into the extensions, specifically jquery-1.12.2.min.js and scripts.js. The malicious code effectively injects hardcoded proxy credentials (topfany / 963852wei) into every HTTP authentication prompt across all visited websites. Understanding this process exposes how these extensions disguise themselves while compromising user safety.

Mechanism of Credential Theft

Pandya explained that the extensions employ a listener via chrome.webRequest.onAuthRequired. This listener responds instantly whenever a site prompts for HTTP authentication, ensuring users remain unaware of the ongoing threat. The process is smooth and automatic—there’s no need for user interaction.

Once the proxy server authenticates, these extensions modify Chrome’s proxy settings through a Proxy Auto-Configuration (PAC) script, triggering one of three operational modes:

• Close: Disables the proxy feature.
• Always: Routes all web traffic through the proxy.
• Smarty: Routes a pre-determined list of over 170 chosen high-value domains through the proxy.

The malicious list includes reputable developer platforms like GitHub, social media sites like Facebook, and sensitive cloud services. Interestingly, the inclusion of adult content websites may suggest ulterior motives, such as potential blackmail schemes.

Continuous Data Exfiltration

The operation remains persistent, maintaining a heartbeat communication with its C2 server at phantomshuttle[.]space, which is still operational. This heartbeat allows attackers a “man-in-the-middle” (MitM) position, where they can intercept, manipulate, and even inject data into user traffic.

What’s more alarming is that this heartbeat also transmits sensitive user information—including email addresses, plaintext passwords, and version numbers—every five minutes to an external server. This setup facilitates continuous theft and surveillance of user sessions.

The Broader Impact

As these extensions siphon off critical user data, they also target various sensitive information, including passwords and API keys. Moreover, any stolen developer secrets could potentially lead to broader supply chain attacks—an escalating danger in today’s digital landscape.

While the identity of the orchestrators remains unclear, indicators suggest a China-based operation, given the use of Chinese language in the extension’s description and the payment integration through Alipay and WeChat Pay, along with the hosting of the C2 domain on Alibaba Cloud.

User Precautions and Organizational Response

The subscription model effectively retains victims, fostering a facade of credibility. As users unknowingly enable their traffic to be compromised, cybersecurity teams must remain vigilant. Those who have installed these extensions are strongly urged to remove them immediately.

For organizations, adopting extension allowlisting, monitoring for suspicious proxy activities, and maintaining rigorous network surveillance are essential steps to mitigate risks associated with these kinds of threats. The findings emphasize a growing underground risk linked to browser extensions, reiterating the need for proactive cybersecurity measures.