Massive Browser Hijacking Campaign Targets 2.3 Million Users Through Malicious Chrome and Edge Extensions

The cybersecurity community has uncovered one of the most sophisticated browser hijacking campaigns to date, with over 2.3 million users across Google Chrome and Microsoft Edge falling victim to 18 malicious extensions. This widespread attack, dubbed the “RedDirection campaign,” demonstrates how cybercriminals are exploiting the trust users place in official browser marketplaces to conduct large-scale surveillance and data theft operations.

 Description of the RedDirection Campaign

The RedDirection campaign represents a coordinated effort by threat actors to infiltrate browsers through seemingly legitimate extensions available on both the Chrome Web Store and Microsoft Edge Add-ons marketplace. Researchers at Koi Security first discovered this sophisticated operation while investigating a single extension called “Color Picker, Eyedropper — Geco colorpick,” which led to the identification of 17 additional malicious extensions operating under the same infrastructure. What makes this campaign particularly insidious is its patient, long-term approach – these extensions functioned as legitimate productivity tools for months or even years before activating their malicious capabilities through automatic updates.

• Extensions masqueraded as everyday productivity tools offering functionality such as color picking, emoji keyboards, weather forecasts, VPN services, volume boosters, and video speed controllers
• Many extensions carried verified badges, featured placement on official stores, and maintained hundreds of positive reviews
• Extensions initially functioned exactly as advertised, providing promised functionality while secretly monitoring user activity
• Malicious code was introduced through subsequent updates, sometimes years after original installation
• Attack bypassed user awareness and security scrutiny through automatic update mechanisms

The sophisticated nature of this campaign demonstrates how cybercriminals have evolved to exploit user trust in official marketplaces and the automatic update systems that users rely on for convenience.

 Severity of the Issue

The RedDirection campaign represents a critical threat to user privacy and security with implications that extend far beyond typical malware infections. The scale of this operation is unprecedented, affecting over 2.3 million users across both Chrome and Edge browsers, making it one of the largest browser hijacking operations ever documented. The campaign’s duration and sophistication are equally concerning, with some extensions operating as “sleeper agents” since at least July 2024, demonstrating the attackers’ patience and long-term strategic planning.

• Over 2.3 million affected users across both Chrome and Edge browsers
• Created one of the largest browser hijacking operations documented to date
• Campaign spans multiple years with some extensions operating as sleeper agents since at least July 2024
• Extensions had access to extensive browser permissions allowing monitoring of every website visit
• Coordinated attack involving 18 different extensions connected to single command-and-control infrastructure
• Demonstrated sophisticated planning and significant resources behind the operation

The severity is amplified by the trust users placed in these verified extensions and the potential for ongoing surveillance without user knowledge or consent.

 How the Attack is Exploited

The RedDirection campaign employs a sophisticated multi-stage attack methodology that operates entirely without user interaction or awareness. The exploitation process begins with legitimate extensions that provide actual functionality to users, building trust and avoiding suspicion during the initial installation period. These extensions remain dormant until receiving updates that introduce malicious code through the automatic update mechanism that both Chrome and Edge use to keep extensions current. This approach bypasses both user scrutiny and many security detection systems, as the malicious functionality only appears after the extension has established itself as a trusted component of the user’s browser environment.

• Background service workers register listeners triggered whenever users navigate to new webpages
• Listeners capture URLs of visited pages and transmit information to remote servers with unique tracking identifiers
• Command-and-control servers respond with redirection URLs, hijacking browsing sessions
• Extensions use Chrome Extensions API to intercept web requests and modify browser behavior
• Some extensions strip Content Security Policy headers, compromising browser security defenses
• Attack chain includes ability to serve fake software updates, particularly targeting Zoom users
• Extensions can redirect users to phishing sites designed to steal login credentials

The exploitation process operates entirely in the background, making detection extremely difficult for average users who continue to receive the advertised functionality while being monitored.

 Who is Behind the Attack

Security researchers have identified several characteristics that point to an organized cybercriminal operation rather than individual hackers behind the RedDirection campaign. The threat actors demonstrate sophisticated technical capabilities and employ long-term planning approaches that suggest significant resources and expertise in browser-based attacks. The level of coordination required to manage 18 different extensions, each with its own command-and-control subdomain designed to mask their connection to a centralized infrastructure, indicates a well-organized group with experience in large-scale operations.

• Organized cybercriminal operation rather than individual hackers
• Sophisticated technical capabilities and long-term planning approach
• Well-resourced group with experience in large-scale operations
• Each extension connected to own command-and-control subdomain to mask centralized infrastructure
• Threat actors likely acquired access through developer account compromises rather than direct code exploitation
• Group demonstrates capabilities in social engineering, phishing, or other methods to gain unauthorized access

The professional nature of the operation, combined with its scale and duration, suggests this group has significant resources and likely operates as part of a larger cybercriminal ecosystem focused on data theft and advertising fraud.

 Who is at Risk

The RedDirection campaign specifically targets users of Google Chrome and Microsoft Edge browsers, which collectively represent the vast majority of internet users worldwide. However, the risk profile varies significantly across different user groups based on their browsing habits and organizational security policies. Small and medium-sized businesses face particularly elevated risk, as their employees often install browser extensions to enhance productivity without proper security oversight or approval processes. The extensions in this campaign specifically targeted productivity tools, making them especially appealing to business users seeking to improve their workflow efficiency and daily productivity.

• Small and medium-sized businesses whose employees install productivity extensions without security oversight
• Individual users who frequently install browser extensions for enhanced functionality
• Organizations allowing unrestricted browser extension installation
• Users who visit sensitive websites including online banking, corporate portals, and cloud services
• Business users seeking workflow efficiency improvements through browser extensions
• Anyone using Google Chrome or Microsoft Edge browsers with installed extensions

The broad appeal of productivity-focused extensions makes virtually any internet user a potential target for this type of attack.

 Remediation and Protection Measures

Protecting against browser extension-based attacks requires a comprehensive approach that addresses both immediate threats and long-term security posture. The remediation process must begin with immediate action to remove any potentially compromised extensions and eliminate traces of malicious activity, followed by implementing robust preventive measures to avoid future incidents. Organizations and individuals need to fundamentally reassess their approach to browser extension management, moving from a permissive model to one based on careful evaluation and ongoing monitoring.

• Uninstall all identified malicious extensions from browsers immediately
• Check installed extensions against known malicious extension lists
• Clear all browser data including browsing history, cookies, cached files, and site data
• Conduct full system malware scans to detect additional malicious software
• Monitor online accounts for suspicious activity, particularly sensitive services
• Implement browser extension allowlists restricting installation to approved extensions only
• Provide regular security awareness training emphasizing browser extension risks
• Encourage installation only from verified developers and regular review of installed extensions

Users should check for the following add-ons in Chrome browser and remove them as soon as possible:

• Color Picker, Eyedropper — Geco colorpick
• Emoji keyboard online — copy&paste your emoji
• Free Weather Forecast
• Video Speed Controller — Video manager
• Unlock Discord — VPN Proxy to Unblock Discord Anywhere
• Dark Theme — Dark Reader for Chrome
• Volume Max — Ultimate Sound Booster
• Unblock TikTok — Seamless Access with One-Click Proxy
• Unlock YouTube VPN
• Unlock TikTok
• Weather

Organizations should establish formal policies governing browser extension installation and management to prevent future incidents and maintain a secure browsing environment.

 How CinchOps Can Help

CinchOps understands the evolving nature of cyber threats and provides comprehensive protection against sophisticated attacks like the RedDirection campaign that target the fundamental tools businesses rely on daily. Our cybersecurity solutions are specifically designed to address both immediate risks and long-term security posture requirements, ensuring that your organization remains protected while maintaining the productivity and functionality essential for business operations. We recognize that browser extensions have become integral to modern business workflows, and our approach balances security with usability to provide effective protection without hindering legitimate business activities.

• Continuous monitoring and threat detection capabilities identifying suspicious browser activity and extension-based attacks
• Advanced endpoint protection solutions monitoring browser behavior and detecting malicious extensions before system compromise
• Regular security assessments identifying vulnerabilities in browser security policies with appropriate control recommendations
• Comprehensive employee security training programs educating workforce about browser extension risks and cyber threats
• Browser management policy implementation including extension allowlists and security controls preventing unauthorized installations
• Incident response services providing quick threat containment, damage assessment, and recovery measures
• Ongoing security monitoring detecting and preventing future browser infrastructure attacks

With CinchOps as your cybersecurity partner, your organization receives protection against the latest threats while maintaining the productivity and functionality your business requires to succeed in today’s digital environment.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: Browser Extensions: The Hidden Security Risk in Your Houston Business
For Additional Information on this topic: Google and Microsoft Trusted Them. 2.3 Million Users Installed Them. They Were Malware.

FREE CYBERSECURITY ASSESSMENT