Malicious extensions masqueraded as popular tools, secretly tracking browsing habits and exposing millions to hijacking risks, researchers warn.
More than 2 million users of Google Chrome and Microsoft Edge have fallen victim to what cybersecurity researchers at Koi Security call a “sophisticated” malware campaign—one of the largest browser hijacking operations the cybersecurity company has ever uncovered.
The campaign—dubbed RedDirection—centered on a set of 18 malicious browser extensions that available for download from both Google’s Chrome Web Store and Microsoft’s Edge Add-ons, according to a July 8 Koi Security report. All of the identified extensions, which are listed at the bottom of this article along with their ID numbers, have since been removed from both platforms.
The malicious extensions appeared legitimate, offering tools such as VPN proxies for TikTok and Discord, YouTube unblockers, weather forecasts, video speed controllers, and emoji keyboards. However, behind the scenes, they secretly enabled covert tracking of users’ browsing activity, collected URLs of visited pages, and exfiltrated unique tracking identifiers, according to Koi Security’s findings.
“These aren’t theoretical attacks,” wrote Koi Security’s Idan Dardikman. “With 2.3 million users under surveillance across eighteen different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment. Every click, every website visit, every online transaction becomes a potential attack vector across this vast network.”
The malware implements what Dardikman said was a “sophisticated browser hijacking mechanism” that becomes active every time a user navigates to a new website. It can capture the website address and send it to a remote server—along with the user’s unique tracking ID number. Hackers can also configure the malware to automatically redirect users to different websites, which are potentially harmful.
While Koi Security has not publicly attributed the operation to a specific threat actor or nation-state, the researchers described RedDirection as a highly organized and “particularly devious” effort that amounted to one of the largest browser hijacking operations the company has ever documented. Many of the extensions initially functioned exactly as advertised, which helped them build positive user ratings and evade suspicion on official browser stores.
“Imagine logging into your bank’s website,” Dardikman wrote in the report. “The extension captures your request and seamlessly redirects you to a pixel-perfect replica of your bank’s login page, hosted on the attacker’s servers. You enter your credentials, thinking you’re securely accessing your account, but you’ve just handed over your banking information to cybercriminals.”
Koi Security recommended that users who have installed one of the 18 RedDirection campaign extensions remove it immediately, and then clear their browsing data to remove any tracking identifiers that may be stored on their computers. The company also urged users to run a full system malware scan to check for other infections, and recommended that people monitor their accounts for any suspicious activity.
A review of both Google’s Chrome Web Store and Microsoft’s Edge Add-ons marketplace indicated that the 18 extensions are no longer available for download.
The Epoch Times has reached out to Google and Microsoft for comment.
A list of the known malicious extensions linked to RedDirection, along with their unique extension IDs, is provided below for reference:
Chrome Extensions:
- Emoji keyboard online—copy & paste your emoji (ID: kgmeffmlnkfnjpgmdndccklfigfhajen)
- Free Weather Forecast (ID: dpdibkjjgbaadnnjhkmmnenkmbnhpobj)
- Video Speed Controller—Video manager (ID: gaiceihehajjahakcglkhmdbbdclbnlf)
- Unlock Discord—VPN Proxy to Unblock Discord Anywhere (ID: mlgbkfnjdmaoldgagamcnommbbnhfnhf)
- Dark Theme—Dark Reader for Chrome (ID: eckokfcjbjbgjifpcbdmengnabecdakp)
- Volume Max—Ultimate Sound Booster (ID: mgbhdehiapbjamfgekfpebmhmnmcmemg)
- Unblock TikTok—Seamless Access with One-Click Proxy (ID: cbajickflblmpjodnjoldpiicfmecmif)
- Unlock YouTube VPN (ID: pdbfcnhlobhoahcamoefbfodpmklgmjm)
- Color Picker, Eyedropper—Geco colorpick (ID: eokjikchkppnkdipbiggnmlkahcdkikp)
- Weather (ID: ihbiedpeaicgipncdnnkikeehnjiddck)
Edge Extensions:
- Unlock TikTok (ID: jjdajogomggcjifnjgkpghcijgkbcjdi)
- Volume Booster—Increase your sound (ID: mmcnmppeeghenglmidpmjkaiamcacmgm)
- Web Sound Equalizer (ID: ojdkklpgpacpicaobnhankbalkkgaafp)
- Header Value (ID: lodeighbngipjjedfelnboplhgediclp)
- Flash Player—games emulator (ID: hkjagicdaogfgdifaklcgajmgefjllmd)
- Youtube Unblocked (ID: gflkbgebojohihfnnplhbdakoipdbpdm)
- SearchGPT—ChatGPT for Search Engine (ID: kpilmncnoafddjpnbhepaiilgkdcieaf)
- Unlock Discord (ID: caibdnkmpnjhjdfnomfhijhmebigcelo)
By Tom Ozimek
