Malicious Chrome and Edge Extensions Infect 2.3 Million Users

July 8, 2025 By Amar Ćemanović | Cyber Insider

Affected extensions include:

Color Picker, Eyedropper — Geco colorpick

Video Speed Controller — Video manager

Unlock Discord — VPN Proxy

Dark Theme — Dark Reader

Volume Max — Ultimate Sound Booster

Emoji Keyboard Online

Unblock TikTok

Unlock YouTube VPN

What does the malware do?

A major malware campaign called the RedDirection campaign has infected over 2.3 million users of Google Chrome and Microsoft Edge through these 18 seemingly legitimate browser extensions.

"The campaign was uncovered by Koi Security during an investigation into a single extension, “Color Picker, Eyedropper — Geco colorpick.” Researchers discovered that although the tool functioned as advertised, it secretly hijacked browser activity, tracked visited websites, and communicated with remote command-and-control (C2) servers. [...]"

"[...] The core functionality of the malware revolves around browser hijacking triggered during tab updates. Embedded scripts in the extensions’ background service workers intercept page visits, send the URLs to remote servers such as admitclick.net, and redirect users based on attacker instructions. This allows for phishing, credential theft, and malware delivery."

So, millions of users have been compromised by these malicious browser extensions that initially appear legitimate but later hijack browsing activity for phishing, data theft and malware delivery. They exploit browser marketplaces and fake software sites to spread widely and evade detection.

What to do if you suspect your extension is a malware?

Well, you gotta uninstall the extensions immediately! Here's the steps:

Remove the Malicious Extensions

Open Chrome or Edge, go to Settings > Extensions.
Enable Developer Mode to see extension IDs if needed.
Locate and remove any suspicious or known malicious extensions such as those listed in the RedDirection campaign

Clear Browsing Data

Scan Your System for Malware

Remove Forced Extension Installations (If Applicable)

Some malware sets registry keys to force-install extensions that cannot be removed normally. To fix this:

Create a system restore point first.

Open Registry Editor (press Win+R, type regedit).

Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist for Edge

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist for Chrome. Delete the ExtensionInstallForcelist key or any suspicious entries within it.

Reboot Your Computer

Monitor Your Accounts