Clean Master
Clean Master is a browser-extension-based malware/backdoor associated by Koi Security with the ShadyPanda campaign. It was presented as a legitimate utility extension for Google Chrome and Microsoft Edge, reportedly published by Starlab Technology, and accumulated more than 200,000 installs before being weaponized via a malicious update in mid-2024. Koi described it as one of five extensions used to deploy a remote-code-execution-capable backdoor framework affecting roughly 300,000 users across those extensions.
According to the reporting, the malicious update enabled full browser surveillance and man-in-the-browser-style capabilities. The malware polled api.extensionplay[.]com hourly for instructions, could download arbitrary JavaScript and execute it with full browser API access, and could inject malicious content into any website, including HTTPS pages. Reported collection and exfiltration included visited URLs, HTTP referrers, timestamps, persistent UUID4 identifiers, browser fingerprints, session-related data, and broader browsing/authentication visibility. Koi also reported anti-analysis behavior in which the extension switched to benign behavior when browser developer tools were opened.
The campaign is attributed by Koi to ShadyPanda, a long-running operation dating back to at least 2017 that abused trusted-looking extensions, allowed them to build reputation and installation volume, then silently pushed malicious updates. The broader operation reportedly targeted Chrome and Edge users at scale, including enterprise users whose browsers may access SaaS, cloud, and internal resources. Google reportedly removed Clean Master from the Chrome Web Store; Koi stated the backdoor infrastructure remained present on already infected browsers even after marketplace removal.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ShadyPanda ... vertrieb Browser-Extension wie das beliebte Dienstprogramm Clean Master ... Erst nachdem ShadyPanda Vertrauen aufgebaut ... schob es stillschweigend bösartige Updates nach.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Clean Master is a browser extension that was weaponized to deliver a remote code execution backdoor, allowing attackers to execute arbitrary JavaScript code, exfiltrate browsing data, and maintain persistent access to infected browsers.
A malicious browser-extension payload delivered via an update to the previously legitimate-looking “Clean Master” extension. It provides an RCE-enabling backdoor in the browser context by polling a C2 for instructions, downloading arbitrary JavaScript, and executing it with full browser API permissions. It also supports web content injection (including into HTTPS pages), extensive browsing surveillance, and data exfiltration (URLs, referrers, timestamps, persistent identifiers, and browser fingerprinting). Includes anti-analysis behavior (goes benign when developer tools are opened).
Als zunächst legitime Browser-Erweiterung (Chrome/Edge) verbreitet und später per Update bösartig gemacht: Sammeln von Browsing-/Sitzungsdaten (Cookies, Session-Tokens), Fingerprinting/Tracking, Manipulation von Suchergebnissen und Datenverkehr (Man-in-the-Browser) sowie Installation einer Backdoor mit Unterstützung für Remote-Code-Ausführung (RCE).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.