Firefox joins Chrome and Edge as sleeper extensions spy on users

A group of cybercriminals called DarkSpectre is believed to be behind three campaigns spread by malicious browser extensions: ShadyPanda, GhostPoster, and Zoom Stealer. We wrote about the ShadyPanda campaign in December 2025, warning users that extensions which had behaved normally for years...

DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

The threat actor behind two malicious browser extension campaigns, ShadyPanda and GhostPoster, has been attributed to a third attack campaign codenamed DarkSpectre that has impacted 2.2 million users of Google Chrome, Microsoft Edge, and Mozilla Firefox. The activity is assessed to be the work of...

ShadyPanda: The Silent Browser Takeover Threat and How Qualys TruRisk Eliminate Helps You Stop It

Executive Summary ShadyPanda has exploited trusted browser extensions to compromise millions of users, illustrating how legitimate software can unexpectedly become harmful. Qualys TruRisk Eliminate empowers organizations to identify risky behaviors, prioritize real threats, and eliminate maliciou...

A Browser Extension Risk Guide After the ShadyPanda Campaign

In early December 2025, security researchers exposed a cybercrime campaign that had quietly hijacked popular Chrome and Edge browser extensions on a massive scale. A threat group dubbed ShadyPanda spent seven years playing the long game, publishing or acquiring harmless extensions, letting them r...

7 Year Long ShadyPanda Attack Spied on 4.3M Chrome and Edge Users

Koi Security exposes ShadyPanda, a group that used trusted Chrome/Edge extensions to infect 4.3 million users over 7 years for deep surveillance and corporate espionage...

“Sleeper” browser extensions woke up as spyware on 4 million devices

Researchers have unraveled a malware campaign that really did play the long game. After seven years of behaving normally, a set of browser extensions installed on roughly 4.3 million Chrome and Edge users’ devices suddenly went rogue. Now they can track what you browse and run malicious code insi...

ShadyPanda Turns Popular Browser Extensions with 4.3 Million Installs Into Spyware

A threat actor known as ShadyPanda has been linked to a seven-year-long browser extension campaign that has amassed over 4.3 million installations over time. Five of these extensions started off as legitimate programs before malicious changes were introduced in mid-2024, according to a report fro...