Campaigns
Project Silent Browse: 4.3M Victims of ShadyPanda's Long Game

Project Silent Browse: 4.3M Victims of ShadyPanda's Long Game

ShadyPandaBrowser extensionsChrome securityEdge securityEnterprise browser risk
Operation Trusted Mirage follows a years-long ShadyPanda campaign that abuses trusted Chrome and Edge extensions installed by over 4.3 million users. Through malicious updates in official stores, the group shifts from simple affiliate fraud to full browser control and large scale data theft, turning normal extensions into backdoors that steal traffic and sessions without using classic phishing emails.

Indicators of Compromise

dergoodting.com
s-82923.gotocdn.com
api.cgatgpt.net
nossl.dergoodting.com
api2.cleanmasters.store
extensionplay.com
api.extensionplay.com
yearnnewtab.com
cleanmasters.store
s-85283.gotocdn.com
api.cleanmasters.store
cgatgpt.net

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1176.001 – Browser Extensions (Software Extensions)


ID

Name

Analytic ID

Analytic Description

DET0044

Detecting Malicious Browser Extensions Across Platforms

AN0123

Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.

AN0124

Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.

AN0125

Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.


T1557 – Adversary in the Middle

ID

Name

Analytic ID

Analytic Description

DET0296

Detect Adversary-in-the-Middle via Network and Configuration Anomalies

AN0823

Detects suspicious DNS/ARP poisoning attempts, unauthorized modifications to registry/network configuration, or abnormal TLS downgrade activity. Correlates changes in system configuration with subsequent unusual network flows or authentication events.

AN0824

Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation.

AN0825

Detects unauthorized edits to system configuration profiles, unexpected certificate trust changes, or abnormal ARP/DNS patterns indicative of interception.

AN0826

Detects unauthorized firmware or configuration changes enabling adversary-in-the-middle positioning (e.g., route injection, DNS spoofing, SSL downgrade). Behavioral analytics focus on sudden changes to routing tables or image file integrity failures.


T1539 – Steal Web Session Cookie


ID

Name

Analytic ID

Analytic Description

DET0509

Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts

AN1402

Detects suspicious access to browser session cookie storage (e.g., Chrome’s Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe.

AN1403

Detects access to known browser cookie files (e.g., ~/.mozilla/firefox/*.default/cookies.sqlite, ~/.config/google-chrome/) and suspicious reads of browser memory via /proc/[pid]/mem or ptrace.

AN1404

Detects unauthorized access to browser cookie paths (e.g., ~/Library/Application Support/Google/Chrome/Default/Cookies) or task_for_pid/vm_read calls to Safari/Chrome memory space.

AN1405

Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP.

AN1406

Detects use of session cookies or authentication tokens from unusual user agents or locations. Identifies token reuse without reauthentication or attempts to bypass MFA using previously stolen cookies.


T1555.003 – Credentials from Web Browsers

ID

Name

Analytic ID

Analytic Description

DET0037

Detect Suspicious Access to Browser Credential Stores

AN0105

Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to CryptUnprotectData or memory inspection attempts.

AN0106

Detects attempts to access browser credential stores (e.g., Firefox logins.json, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb.

AN0107

Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing security dump-keychain or directly reading credential files in ~/Library/Application Support. Correlates file access with suspicious process ancestry or unsigned binaries.



T1217 – Browser Information Discovery


ID

Name

Analytic ID

Analytic Description

DET0013

Detection of Local Browser Artifact Access for Reconnaissance

AN0037

Access to browser artifact locations (e.g., Chrome, Edge, Firefox) by processes like PowerShell, cmd.exe, or unknown tools, followed by file reads, decoding, or export operations indicating enumeration of bookmarks, autofill, or history databases.

AN0038

Unauthorized shell or script-based access to browser config or SQLite history files, typically in ~/.config/google-chrome/, ~/.mozilla/, or ~/.var/app folders, indicating enumeration of bookmarks or saved credentials.

AN0039

Scripting or CLI tool access to ~/Library/Application Support/Google/Chrome or ~/Library/Safari bookmarks, cookies, or history databases. Detection relies on unexpected processes accessing or reading from these locations.


T1041 – Exfiltration Over C2 Channel

ID

Name

Analytic ID

Analytic Description

DET0348

Detection Strategy for Exfiltration Over C2 Channel

AN0988

Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access.

AN0989

Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads.

AN0990

Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios.

AN0991

Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa.


T1567 – Exfiltration Over Web Service


ID

Name

Analytic ID

Analytic Description

DET0548

Detection Strategy for Exfiltration Over Web Service

AN1511

Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive).

AN1512

Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services.

AN1513

Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview).

AN1514

Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts.

AN1515

ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer.


Reports & References1

Observed Countries7

DE (920)
ES (22)
FR (780)
GB (694)
IT (140)
NL (315)
SE (607)