2.3 Million Users Infected by Malicious Chrome & Edge Extensions

For years at a time, 18 extensions had a "squeaky clean" codebase until a version bump made them into malicious trojans without any user involvement. Over 2.3 million people have just been affected, but there are likely many more extensions out there, security researchers warn.

  Cyber News   Jul 10, 2025   0   52  Add to Reading List
2.3 Million Users Infected by Malicious Chrome & Edge Extensions

With over 100,000 downloads, a Chrome and Edge extension that shows Google's verified badge accomplishes its stated goal of providing users with a colour picker.  Unfortunately, Koi Security researchers have found that it also backdoors victims' web browsers, records behaviour across websites, and hijacks every browser session.

 Colour pickers are useful for building websites, apps, and other content because they allow users to pick any colour from a website and save it to their clipboard for later use.  At the time of writing, this specific Geco extension could still be downloaded from the Google and Microsoft shops.  The Register's questions were not answered by either firm, but we will update this story if that changes.

More than 800 reviews, 4.2 ratings (out of 5), and "featured" placement are all attributed to the Geco extension on the Chrome Web Store.  With similarly positive reviews from its 1,000+ customers, Microsoft's Edge Add-ons appears to be a completely safe extension.

"This isn't some obvious scam extension thrown together in a weekend," Idan Dardikman, an analyst with Koi Security, stated in a blog post made on Tuesday.  "This is a carefully crafted Trojan horse."

The developer was also contacted by The Register for comment, but no response was obtained.

 Koi Security claims that the Geco colour picker is "just the tip of the iceberg," a component of a significant browser-hijacking effort known as RedDirection.  The campaign includes 18 malicious extensions with the same eavesdropping capabilities that are available in both the Chrome and Edge stores.  At the bottom of this story is a list of all 18 extensions.

 "Combined, these eighteen extensions have infected over 2.3 million users across both browsers, creating one of the largest browser hijacking operations we've documented," said Dardikman.

Among the many features offered by the extensions are emoji keyboards, weather predictions, video speed controllers, VPN proxies for TikTok and Discord, dark themes, volume boosters, and YouTube unblockers (helpful if your government, workplace, or school prohibits the well-known video website).  However, in addition to offering these legal services, they covertly monitor users' online activities, recording URLs, transmitting this information to a server under the control of the attacker, along with the victim's unique tracking ID, and even rerouting users' browsers upon request, the researchers found.

The fact that these extensions weren't infected with malware from the beginning makes this much more devious and probably explains the Google confirmed label.

 Dardikman claims that before the virus was added during version updates, the code was initially pure and occasionally stayed that way for years.  "Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently for over 2.3 million users across both platforms, most of whom never clicked anything," he stated.

Tech giants join forces to better support Chromium-based browsers – Computerworld

What does this Trojan do?

Every time you visit a new website, the spyware surreptitiously launches and tracks your activities in the background.  The goal of the attack is to divert viewers to malicious websites, which may be phishing sites that imitate the original.

 A redirect URL is then provided by the command and control server after the malware has taken the user's original URL and sent it to a distant attacker-controlled server along with a unique identifier.  Further compromise may result from the hacked extension's automatic redirection of the user to a malicious website upon instruction.

At any time, attackers can take advantage of this man-in-the-middle capacity.  When a user receives an invitation to a Zoom meeting, they can direct them to download the "critical Zoom update" or to a pixel-perfect copy of their bank's login page in order to steal login information.

 The fact that each extension had a different domain gave the impression that different developers were working on them.  They had the same centralised assault infrastructure, nevertheless.

Koi Security researchers urge the immediate deletion of the following extensions from Chrome and Edge.

        Chrome:

  • Emoji keyboard online – copy&paste your emoji
  • Free Weather Forecast
  • Video Speed Controller – Video Manager
  • Unlock Discord – VPN Proxy to Unblock Discord Anywhere
  • Dark Theme – Dark Reader for Chrome
  • Volume Max – Ultimate Sound Booster
  • Unblock TikTok – Seamless Access with One-Click Proxy
  • Unlock YouTube VPN
  • Color Picker, Eyedropper – Geco colorpick
  • Weather

      Edge:

  • Unlock TikTok
  • Volume Booster – Increase your sound
  • Web Sound Equalizer
  • Header Value
  • Flash Player – games emulator
  • Youtube Unblocked
  • SearchGPT – ChatGPT for Search Engine
  • Unlock Discord

Users should check all installed extensions and uninstall any that aren't needed, according to researchers.  Keep an eye out for such questionable activity; a single update can make a once-reliable extension dangerous.

Even though the malicious extensions appear to have been taken down from stores, some of the attacker-controlled sites that were highlighted in the study as signs of compromise are still operational and promoting dangerous software.

Follow cyberdeepakyadav.com on

 FacebookTwitterLinkedInInstagram, and YouTube

Tags

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow