- Two malicious Google Chrome extensions named Phantom Shuttle intercept user traffic and steal credentials.
- The extensions use a subscription model charging between $1.40 and $13.50 for a supposed VPN service.
- User traffic to over 170 targeted domains is routed through attacker-controlled proxies to enable man-in-the-middle data theft.
- The extensions continuously exfiltrate user credentials and session data to a command-and-control server.
- The operation shows signs of being China-based, using Chinese language and payment methods like Alipay and WeChat Pay.
Two Google Chrome extensions named Phantom Shuttle, published by the same developer, have been identified to contain malicious capabilities that intercept network traffic and capture sensitive user credentials. One version has been available since November 2017 with about 2,000 users, and a second variant released in April 2023 has 180 users so far.
Advertised as a multi-location network speed test plug-in targeting developers and foreign trade professionals, these extensions operate under a subscription service charging from $1.40 to $13.50. Despite their VPN-like appearance, the extensions perform malicious activities, including man-in-the-middle attacks facilitated through traffic interception and credential injection, according to security researcher Kush Pandya as mentioned in the research report.
After subscription payment, users receive VIP status, triggering the automatic activation of a "smarty" proxy mode. This mode routes traffic from over 170 high-value websites—including developer platforms like GitHub and Stack Overflow, cloud services such as Amazon Web Services and Microsoft Azure, enterprise solutions, social media, and adult content sites—through threat actor-controlled proxy servers.
The extensions modify two JavaScript libraries bundled with the add-ons to inject hardcoded proxy credentials automatically on authentication requests, bypassing any user prompts. This process happens via Chrome’s webRequest API, allowing synchronous credential injection without user interaction. Once authenticated, the extensions set Chrome’s proxy configuration using a Proxy Auto-Configuration (PAC) script, supporting three modes: disabling proxy, routing all traffic, or selective routing based on the target domains list.
Traffic routed through these proxies is continuously monitored and manipulated by the attacker. The extensions send a 60-second “heartbeat” signal to their command-and-control server at phantomshuttle[.]space, transmitting the VIP user’s email, plaintext password, and extension version every five minutes. This facilitates ongoing credential theft and session observation.
The exfiltration targets critical personal data such as passwords, credit card numbers, authentication cookies, browsing histories, form inputs, API keys, and access tokens. The theft of developer secrets also opens the door to potential supply chain attacks. The presence of Chinese language text in descriptions, integration of Chinese payment methods like Alipay and WeChat Pay, and Hosting infrastructure tied to Alibaba Cloud suggest the operation originates from China.
Users who have installed these extensions are strongly advised to remove them immediately. Enterprises should implement extension allowlisting, monitor for extensions combining subscription payments with proxy permissions, and enable network-level detection of suspicious proxy authentications to mitigate such risks.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Cuba’s Partial De-Dollarization Plan Sparks Economic and Political Criticism
- Canaccord Raises Tesla Target to $551, Sees Unique U.S. Position
- Nic Carter Warns Bitcoin Faces Quantum Threat by 2028, Urges Action
- South Korea’s BC Card pilots stablecoin payments for foreigners
- 574 Arrested, $3M Recovered in INTERPOL’s Africa Cybercrime Crackdown
