Two pretend Chrome extensions named “Phantom Shuttle” are deceiving hundreds of customers by posing as official VPN companies whereas secretly intercepting their internet visitors and stealing delicate login info.
These malicious extensions, energetic since 2017, have been distributed to over 2,180 customers by way of the Chrome Internet Retailer, the place they proceed to function undetected.
The menace actor behind the scheme makes use of the e-mail theknewone.com@gmail[.]com to publish each extension variants, which operate identically regardless of having completely different appearances.
Victims are unaware they’re operating malicious software program that screens all their on-line exercise and repeatedly sends their credentials to attacker-controlled servers.
The extensions market themselves as “multi-location community pace testing plugins” designed for builders and Chinese language commerce employees.
Customers buy subscriptions starting from 9.9 to 95.9 yuan (roughly 1.40 to 13.50 USD) by way of official fee strategies, together with Alipay and WeChat Pay.
They obtain purposeful proxy companies that seem to work as marketed, performing actual latency assessments and displaying connection standing.
This industrial facade creates a false sense of safety whereas hiding devastating, malicious exercise occurring within the background.
Socket.dev analysts recognized that the extensions execute full visitors interception by way of a classy credential injection mechanism.
The extensions robotically intercept each HTTP authentication request throughout all web sites and inject hardcoded proxy credentials (username: topfany, password: 963852wei) with out person data.
This permits attackers to redirect all searching visitors by way of their very own proxy servers, successfully making a man-in-the-middle assault.
The Authentication Hijacking Mechanism
The malicious code is hidden inside modified JavaScript libraries bundled with the extension, particularly jquery-1.12.2.min.js and scripts.js.
Researchers discovered that the extensions make use of a customized character-index encoding scheme to obfuscate the hardcoded proxy credentials, thereby making them tougher to detect throughout safety evaluation.
The code registers a listener on chrome.webRequest.onAuthRequired, which intercepts authentication challenges earlier than customers see any prompts.
When triggered, the listener robotically responds with the hardcoded credentials utilizing asyncBlocking mode, guaranteeing the response occurs synchronously with out giving customers any alternative to intervene.
The extension maintains a 60-second heartbeat to the C2 server at phantomshuttle.area, repeatedly exfiltrating person information.
Throughout each heartbeat transmission and VIP standing examine, the extension sends person electronic mail addresses and passwords in plaintext to the attacker infrastructure, occurring each 5 minutes for energetic customers.
The extension stays operational as of December 23, 2025, and Socket.dev has submitted takedown requests to Google’s Chrome Internet Retailer safety workforce.
Customers who put in these extensions ought to instantly uninstall them and alter all passwords used of their browsers.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most popular Supply in Google.
