Home About Courses Live Batches Private Sessions Labs Cyber Bulletin Verify Contact

Login

Malicious Chrome Extensions Stealing User Credentials

Published on: December 26, 2025

Share:
Malicious Chrome Extensions Stealing User Credentials

Overview

Two malicious Google Chrome extensions published under the name “Phantom Shuttle” have been identified in the Chrome Web Store. These extensions masquerade as legitimate proxy and network-testing tools but secretly hijack user web traffic to steal sensitive information. Despite being active since at least 2017, the extensions were still available in the official Chrome Web Store at the time of reporting.

The campaign primarily targets users in China, including foreign trade workers who rely on proxy services to test connectivity from different geographic locations.

Vulnerability Details 

  • The issue is not a Chrome browser vulnerability, but an abuse of the Chrome extension ecosystem and permissions model.
  • The extensions leverage:
    • Excessive permissions to intercept web traffic
    • Dynamic proxy reconfiguration via auto-configuration scripts
    • Malicious code embedded within a legitimate jQuery library
  • Hardcoded proxy credentials are obfuscated using a custom character-index encoding scheme, allowing unauthorized routing of traffic.

How It Affects

  • All browser traffic is silently routed through attacker-controlled proxy servers
  • The extension operates as a man-in-the-middle (MitM), enabling:
    • Interception of HTTP authentication challenges
    • Capture of form data (usernames, passwords, card details)
    • Theft of session cookies from HTTP headers
    • Extraction of API tokens from requests
  • In “smarty” mode, traffic from 170+ high-value domains is selectively proxied, while local networks and the attacker’s own C2 infrastructure are excluded to reduce detection.

Who It Affects

  • Google Chrome users who installed the Phantom Shuttle extensions
  • Users seeking proxy services, especially:
    • Individuals based in China
    • Foreign trade workers
    • Developers and IT professionals
  • Organizations whose employees use unmanaged or personal browsers for work-related access

Its Impact

  • Compromise of:
    • Login credentials
    • Financial information
    • Personal and identity data
    • Cloud, developer, and social media accounts
  • Session hijacking and unauthorized account access
  • Potential downstream attacks, including:
    • Data breaches
    • Financial fraud
    • Corporate espionage

Targeted Products

  • Google Chrome browser

  • Chrome Web Store extensions:
    • Phantom Shuttle (multiple variants under the same developer account)
  • High-value web services, including:
    • Developer platforms
    • Cloud service consoles
    • Social media websites
    • Adult content portals

IOCs (Indicators of Compromise)

  • Extension name: Phantom Shuttle
  • Behavior-based indicators:
    • Unexpected proxy settings configured in Chrome
    • Browser traffic routed through unknown proxy servers
  • Note: No specific malicious domains or IP addresses have been publicly disclosed at this time.

Recommendations

  • Immediately remove the Phantom Shuttle extensions if installed
  • Review and reset:
    • Chrome proxy settings
    • Browser sessions and saved credentials
  • Rotate passwords and revoke API tokens for accounts accessed via the affected browser
  • Enable:
    • Multi-factor authentication (MFA)
    • Endpoint and browser extension monitoring where possible
  • Install extensions only from reputable publishers
  • Carefully review:
    • Permissions requested during installation
    • User reviews and extension update history
  • Organizations should:
    • Enforce browser extension allowlists
    • Educate users on extension-related risks

References:

https://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-…

← Back to all bulletins