The earliest extensions focused on affiliate fraud, extracting hidden commissions on victims’ online purchases, later shifting to search-result manipulation. Most recently, they have included sophisticated behavioral tracking, session-data harvesting, and browser fingerprinting surveillance affecting 4 million users, and a backdoor supporting remote code execution (RCE) affecting 300,000.
ShadyPanda played the long game, with extensions including the popular Clean Master utility with 200,000 installs distributed as completely legitimate tools early on, earning them positive user ratings and, in some cases, trust signals such as “Featured” or “Verified” badges in the Chrome Web Store and Microsoft Edge Add-ons store.
No review after submission
This long-term legitimacy built a large user base and may have normalized these extensions inside enterprises, where browser add-ons often pass through with little scrutiny. Only after accumulating trust, and millions of installs, did ShadyPanda push silent malicious updates. It embedded hidden install-tracking routines that mapped user behavior and optimized reach before weaponizing it through a malicious update.
