{"id":1203,"date":"2025-07-08T16:51:36","date_gmt":"2025-07-08T16:51:36","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2025\/07\/08\/researchers-reveal-18-malicious-chrome-and-edge-extensions-disguised-as-everyday-tools\/"},"modified":"2025-07-08T16:51:36","modified_gmt":"2025-07-08T16:51:36","slug":"researchers-reveal-18-malicious-chrome-and-edge-extensions-disguised-as-everyday-tools","status":"publish","type":"post","link":"http:\/\/ft365.org\/index.php\/2025\/07\/08\/researchers-reveal-18-malicious-chrome-and-edge-extensions-disguised-as-everyday-tools\/","title":{"rendered":"Researchers Reveal 18 Malicious Chrome and Edge Extensions Disguised as Everyday Tools"},"content":{"rendered":"
\n

A set of 18 malicious browser extensions that are still available to download on Google Chrome and Microsoft Edge have been identified by a team of security researchers at Koi Security.<\/p>\n

These extensions masquerade as productivity and entertainment tools across diverse categories, including emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters and YouTube unblockers.<\/p>\n

They all offer a functional service, which is advertised, while secretly implementing browser surveillance and hijacking capabilities. They have infected over 2.3 million browser users to date.<\/p>\n

Several of these extensions were verified by Google and Microsoft or had featured placement on the Chrome Web Store or the Edge Add-ons Store.<\/p>\n

While each extension operates with its own command and control subdomain, giving the appearance of separate operators, the researchers discovered that the 18 extensions are all part of the same centralized attack infrastructure.<\/p>\n

The campaign has been dubbed RedDirection and Koi Security shared their findings in a July 8 report on Dardikman\u2019s Medium page.<\/p>\n

Legitimate Extensions Turned Malicious in Later Updates<\/strong><\/h2>\n

The first extension the Koi Security researchers identified, named \u2018Color Picker, Eyedropper \u2014 Geco colorpick,\u2019 appears as a seemingly benign Chrome extension with over 100,000 installs and over 800 reviews.<\/p>\n

In reality, this extension also delivers a malicious command-and-control (C2) backdoor, allowing an attacker to track every website visited by its users.<\/p>\n

Upon finding this extension, Idan Dardikman and his fellow researchers at Koi Security dug deeper.<\/p>\n

They found 11 Chrome extensions and seven Edge extensions with similar capabilities.<\/p>\n

To avoid being blocked by Google\u2019s and Microsoft\u2019s security filters, the RedDirection extensions were initially created as clean extensions and later updated with malware in subsequent versions that installed automatically, with no user input – sometimes years later the initial version was released.<\/p>\n

\u201cGoogle’s and Microsoft\u2019s verification process failed to detect sophisticated malware across eleven different extensions, instead promoting several to users through verification badges and featured placement,\u201d Dardikman explained.<\/p>\n

The malicious code that was added to the extensions allows an attacker to:<\/p>\n