11 Google-Verified Chrome Extensions Infected Over 1.7 Million Users
A chilling discovery by Koi Security has exposed a sophisticated browser hijacking campaign dubbed “RedDirection,” compromising over 1.7 million users through 11 Google-verified Chrome extensions.
This operation, which also spans Microsoft Edge with additional extensions totaling 2.3 million infections across platforms, exploited trusted signals like verification badges, featured placements, and high install counts to distribute malware under the guise of legitimate productivity and entertainment tools.
Unveiling the RedDirection Campaign
Extensions such as “Color Picker, Eyedropper Geco colorpick,” “Video Speed Controller,” and “Emoji keyboard online” were among the culprits, delivering promised functionality while secretly embedding surveillance and redirection mechanisms.
The RedDirection campaign stands out due to its deceptive strategy of remaining benign for years before introducing malicious code via silent updates, a tactic that evaded scrutiny from both Google and Microsoft’s extension marketplaces.
These updates, auto-installed without user intervention, transformed trusted tools into surveillance platforms capable of tracking every website visit, capturing URLs, and redirecting users to fraudulent pages via command-and-control (C2) infrastructure like admitclick.net and click.videocontrolls.com.
Sophisticated Malware Deployment
Koi Security’s investigation revealed that the malware activates on every tab update, sending sensitive browsing data to remote servers and enabling potential man-in-the-middle attacks.
This could lead to devastating scenarios, such as users being redirected to fake banking or Zoom update pages, inadvertently handing over credentials or installing further malware.
The campaign’s ability to weaponize trust signals such as Google’s verified badges and over 100,000 installs per extension highlights a critical supply chain failure in marketplace security.
The verification processes, designed for scale rather than rigorous scrutiny, not only failed to detect the malware but also amplified its reach through featured promotions.
What makes this threat even more alarming is the diversity of the extensions involved, spanning categories like weather forecasts, dark themes, volume boosters, and VPN proxies for platforms like Discord and TikTok.
Each extension operated with individual C2 subdomains, masking their connection to a centralized attack infrastructure.
This cross-platform operation underscores systemic vulnerabilities in how browser marketplaces handle extension updates and vetting, turning trusted ecosystems into distribution channels for sophisticated malware.
Koi Security warns that this isn’t an isolated incident but a watershed moment exposing the broken security model of current marketplaces, urging immediate user action to uninstall affected extensions, clear browser data, and run malware scans.
As threat actors evolve to exploit dormant infrastructure over extended periods, the need for robust governance and visibility into third-party code becomes paramount, a gap Koi Security aims to address with its platform for enterprise and practitioner security.
Indicators of Compromise (IOCs)
| Category | Indicator |
|---|---|
| Chrome Extension IDs | kgmeffmlnkfnjpgmdndccklfigfhajen, dpdibkjjgbaadnnjhkmmnenkmbnhpobj, gaiceihehajjahakcglkhmdbbdclbnlf, mlgbkfnjdmaoldgagamcnommbbnhfnhf, eckokfcjbjbgjifpcbdmengnabecdakp, mgbhdehiapbjamfgekfpebmhmnmcmemg, cbajickflblmpjodnjoldpiicfmecmif, pdbfcnhlobhoahcamoefbfodpmklgmjm, eokjikchkppnkdipbiggnmlkahcdkikp, ihbiedpeaicgipncdnnkikeehnjiddck |
| Network Indicators | admitab[.]com, edmitab[.]com, click.videocontrolls[.]com, c.undiscord[.]com, click.darktheme[.]net, c.jermikro[.]com, c.untwitter[.]com, c.unyoutube[.]net, admitclick[.]net, addmitad[.]com, admiitad[.]com, abmitab[.]com, admitlink[.]net |