- Malicious Google Chrome Extensions “Phantom Shuttle” Secretly Rerouted Traffic Through Attacker-Controlled Proxies
- Extensions targeted Chinese users and obtained credentials from 170 high-value domains
- Google removed plugins; experts warn that browser add-ons remain a major security risk
Security researchers recently discovered that two extensions to the Google Chrome browser were redirecting valuable traffic through compromised proxies, thereby sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, called ‘Phantom Shuttle’. On the surface, these were advertised as plugins for a proxy service that allows users to proxy traffic and test network speeds, and were mainly targeted at Chinese users such as foreign trade workers who need to test connectivity from different locations in the country.
The plugins, which were first uploaded to the store back in 2017, even came with a price tag — a monthly subscription that costs anywhere between $1.40 and $13.60.
Removed from repository
In addition to doing what it said it would do, Phantom Shuttle also routed the user’s web traffic through proxies owned by the threat actor, allowing them to capture login credentials, payment card information, personal information, and more.
However, it did not direct all the traffic. Instead, it listens for around 170 high-value domains, such as developer platforms, cloud service consoles, social media and adult content portals, to ensure that only valuable information is picked up.
Local networks and C2 domains were excluded from the list to ensure that plugins do not trigger any alerts. Google has since removed both extensions from the app store, and searching for ‘Phantom Shuttle’ returns no results.
The Internet browser is the most important piece of software on any modern computer and as such is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, had only eight zero-day vulnerabilities so far in 2025), add-ons are something of a weak point that allow creative crooks to sneak malicious code into the program.
This is why users are advised to be extra careful when downloading and installing plugins or extensions to their browsers.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
