Forum:
Reposted from the Reclaiming the Internet Forum Post
Malicious Chrome and Edge Extensions Infect 2.3 Million Users
By Amar Ćemanović | Cyber Insider
Affected extensions include:
Color Picker, Eyedropper — Geco colorpick
Video Speed Controller — Video manager
Unlock Discord — VPN Proxy
Dark Theme — Dark Reader
Volume Max — Ultimate Sound Booster
Emoji Keyboard Online
Unblock TikTok
Unlock YouTube VPN
What does the malware do?
A major malware campaign called the RedDirection campaign has infected over 2.3 million users of Google Chrome and Microsoft Edge through these 18 seemingly legitimate browser extensions.
"The campaign was uncovered by Koi Security during an investigation into a single extension, “Color Picker, Eyedropper — Geco colorpick.” Researchers discovered that although the tool functioned as advertised, it secretly hijacked browser activity, tracked visited websites, and communicated with remote command-and-control (C2) servers. [...]"
"[...] The core functionality of the malware revolves around browser hijacking triggered during tab updates. Embedded scripts in the extensions’ background service workers intercept page visits, send the URLs to remote servers such as admitclick.net, and redirect users based on attacker instructions. This allows for phishing, credential theft, and malware delivery."
So, millions of users have been compromised by these malicious browser extensions that initially appear legitimate but later hijack browsing activity for phishing, data theft and malware delivery. They exploit browser marketplaces and fake software sites to spread widely and evade detection.
What to do if you suspect your extension is a malware?
Well, you gotta uninstall the extensions immediately! Here's the steps:
Remove the Malicious Extensions
Open Chrome or Edge, go to Settings > Extensions.
Enable Developer Mode to see extension IDs if needed.
Locate and remove any suspicious or known malicious extensions such as those listed in the RedDirection campaign
Clear Browsing Data
Scan Your System for Malware
Remove Forced Extension Installations (If Applicable)
Some malware sets registry keys to force-install extensions that cannot be removed normally. To fix this:
Create a system restore point first.
Open Registry Editor (press Win+R, type regedit).
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge\ExtensionInstallForcelist for Edge
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Google\Chrome\ExtensionInstallForcelist for Chrome. Delete the ExtensionInstallForcelist key or any suspicious entries within it.
Report Topic
Permalink