ShadyPanda
ShadyPanda is a large-scale spyware campaign centered on malicious browser extensions. The provided content describes it as a China-linked operation and a flagship campaign associated with the threat actor DarkSpectre. Researchers assessed the activity as long-running, spanning more than seven years, and affecting Chrome, Microsoft Edge, and Firefox users. One cited report states ShadyPanda weaponized trusted browser extensions via auto-updates and infected over 4.3 million users globally; another summary in the content describes the broader ShadyPanda campaign as involving 5.6 million users across more than 100 extensions.
According to the content, ShadyPanda relied on long-lived extensions that presented themselves as legitimate productivity tools while functioning as comprehensive spyware. The campaign allegedly included 9 actively malicious extensions and more than 85 dormant sleeper extensions awaiting weaponization. A key operational feature was configuration-based command-and-control, allowing operators to change extension behavior server-side without pushing new extension updates. The activity is described as enabling large-scale surveillance and remote control.
The content links ShadyPanda to infrastructure patterns shared with other DarkSpectre campaigns. Researchers reportedly pivoted from domains such as infinitynewtab.com and infinitytab.com to identify connected extensions, and identified a jt2x.com cluster in which extensions used api.jt2x.com for C2, configuration downloads, data exfiltration, and affiliate fraud. The reporting also notes attribution indicators cited for a Chinese nexus, including Alibaba Cloud hosting in China, ICP registrations linked to Chinese provinces including Hubei, Chinese-language code artifacts, and affiliate-fraud targeting of JD.com and Taobao.
High-confidence indicators and related references mentioned in the content include infinitynewtab.com, infinitytab.com, api.jt2x.com, and the campaign name ShadyPanda itself. The visible headline-only source also associates the campaign with browser-extension auto-update abuse, Chrome Web Store exposure, and tags including backdoor and RCE, but that source does not provide technical detail beyond the headline and metadata.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malicious browser extension campaign enabling surveillance and remote control, distributed via Chrome and Edge extension marketplaces.
Named campaign/tool referenced in malicious browser-extension activity; specific functionality is not detailed beyond extension-based exfiltration and impersonation tactics.
Spyware referenced as compromising millions of users by abusing trusted browser extensions and their auto-update mechanism; tags also indicate backdoor functionality.
A long-running malicious browser-extension operation that initially behaves legitimately to build trust, then weaponizes via updates and/or remote configuration to perform surveillance, data exfiltration, search hijacking, remote code injection, and affiliate fraud.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.