ShadyPanda
ShadyPanda is a threat actor tracked by Koi Security for a long-running browser extension campaign targeting Google Chrome and Microsoft Edge users. The group is described in the content as likely China-based or China-linked, although some reporting notes that China attribution is suspected but not confirmed. ShadyPanda conducted a methodical campaign lasting roughly seven years and infected more than 4.3 million browser instances by publishing seemingly legitimate extensions, building trust and install volume over time, and then pushing malicious updates through trusted browser marketplace auto-update mechanisms. The group used over 100 malicious extensions, including 20 Chrome extensions and 125 Edge extensions in earlier phases, and later weaponized popular extensions such as Clean Master and WeTab. Some extensions reportedly received marketplace trust indicators such as Featured or Verified status before being turned malicious. The campaign evolved across multiple phases: early activity involved affiliate fraud by injecting tracking codes into sites such as eBay, Amazon, and Booking.com; later activity included browser hijacking, search redirection, cookie theft, and keystroke harvesting; and subsequent phases added spyware and a backdoor capable of remote code execution by downloading and executing arbitrary JavaScript with full browser API access. Reported collection and surveillance activity included browsing history, URLs visited, search queries, mouse clicks, browser fingerprints, session data, cookies, and other browser telemetry. The content also states that ShadyPanda manipulated search results and traffic, used man-in-the-browser-style techniques, and exfiltrated data to infrastructure described as being in China. The malware reportedly used obfuscation and anti-analysis behavior, including switching to benign behavior when developer tools were opened. The campaign relied on trusted browser marketplaces and weak post-approval monitoring rather than phishing or social engineering. Known aliases and related labels directly mentioned in the content are limited to ShadyPanda. Developer or publisher names associated with parts of the campaign in the reporting include nuggetsno15, Zhang, rocket Zhang, and Starlab Technology, but these are described as publisher identities used in the operation rather than confirmed subgroup names.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Recent activity
20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
ShadyPanda is a China-linked group running long-term malicious browser extension campaigns for surveillance and remote control.
Named in an aggregated list of actors associated with React2Shell (CVE-2025-55182) exploitation activity.
Listed as a threat actor associated in the report’s aggregated section with exploitation activity around React2Shell (CVE-2025-55182) and related RSC/Next.js vulnerabilities.
ShadyPanda is known for large-scale browser extension campaigns that exfiltrate data via session and cookie theft, leveraging malicious Chrome/Edge extensions and exploiting browser vulnerabilities.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.