Hacking

Malicious Chrome Extensions Masquerade as VPN Speed Tools

Published  ·  4 min read

Two Google Chrome browser extensions are located by security researchers. Both of these extensions, published by the same developer and under the same title, have been created to capture network traffic and hijack users’ credentials. Once these browser extensions are installed, they appear to be legitimate browser tools. However, they operate as complete man-in-the-middle proxies.

The Phantom Shuttle extensions are both marketed as “multi-location network speed test plug-ins” to developers and those in the import/export industry. Both extensions were available for download on the Chrome Web Store, as of this writing. The older version has been in circulation since 2017 and had approximately 2,000 users, while the newer version was introduced in 2023 and had fewer users.

Users are encouraged to purchase a subscription, priced between ¥9.90 and ¥95.90 CNY, believing they are receiving a VPN-like service. Upon payment, users receive "VIP" status, and proxy mode is automatically configured to route users' traffic through compromised networks run by attackers.

Both extensions execute the same malicious behavior. When users enable the extension, it engages in a covert method of intercepting user logins by injecting pre-defined proxy credentials into each HTTP authenticating request. This injection occurs before users would receive the browser prompt, rendering the process completely invisible and denying users the opportunity to intervene.

Despite having different names, both of these Mozilla Firefox browser extensions perform the exact same malicious act of intercepting authentication requests via HTTP by inserting hardcoded proxy credentials into each request without notifying users. The extensions do this prior to the user's ability to respond to an HTTP prompt, thereby rendering the user's ability to intervene impossible.

To further substantiate their claims of providing valid latency checks and displaying proxy status, both extensions do provide users with these types of information. However, the primary business model for both extensions is to intercept user traffic and harvest user credentials.

Targeted Traffic Interception
After proxy authentication, the extensions modify Chrome’s proxy settings using a Proxy Auto-Configuration (PAC) script. Three modes are supported:
1. Close – disables the proxy
2. Always – routes all web traffic through the proxy
3. Smarty – selectively routes traffic from over 170 predefined domains

The targeted domains include developer platforms, cloud service providers, enterprise software vendors, social media sites, and adult websites. Researchers believe the inclusion of adult platforms may be intended for blackmail or coercion.

Once active, all selected traffic is routed through attacker-controlled proxies, giving the operator full visibility into user activity. The extensions maintain a persistent connection to their command-and-control server, sending regular heartbeat messages to confirm activity.
The fact that heartbeat requests send sensitive data between a client and server, such as usernames, emails and passwords (in plain text), every minute. Thus, users can continuously have their credentials, session credentials, stolen without the knowledge of the user.

Because of the design of the extensions, an attacker could take advantage of this security flaw to steal the passwords of these users (also credit card information), session tokens (which allow access to the session), API keys (which allow access to APIs), browsing history and other sensitive information from a compromised user.

Developers who create and maintain code repositories and cloud environments run similar risks as would be incurred if someone else was able to reuse those same "stolen secrets" to undermine or compromise the repository or cloud environment of the developer.

The case indicates that this may involve a China-based operation by at least some actors. Among other things, there are several signs that support this conclusion, including: Chinese language in the application user interface; integration with Alipay and WeChat Pay (both Chinese payment systems); and hosting infrastructures that are associated with Alibaba Cloud.

The case of these extensions demonstrates that extensions that are associated with payment systems also may introduce various types of enterprise risk, including supply chain risks, due to elevated proxy permissions associated with these extensions. In addition, security teams should take note that any users who have installed these extensions should immediately uninstall the extension and restrict the ability to install browser extensions to trusted users. Security teams should also audit all proxy-related permissions associated with all installed extensions and monitor for any unusual authentication activity.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067