Verified, featured, and malicious: RedDirection campaign reveals browser marketplace failures

Browser hijacking and phishing risks: According to their research, the malicious code was embedded in each extension’s background service worker and used browser APIs to monitor tab activity. Captured data, including URLs and unique tracking IDs, was sent to attacker-controlled servers, which in turn provided redirect instructions.The setup enabled several attack scenarios, including redirection to phishing pages, banking credential theft using cloned login sites, and fake update prompts delivered through hijacked meeting invitations.”With 2.3 million users under surveillance across 18 different extensions, the campaign creates a massive persistent man-in-the-middle capability that can be exploited at any moment,” said Dardikman.

Centralized infrastructure across platforms: The campaign spanned both Chrome and Edge, with each extension linked to its own command-and-control subdomain to create the appearance of separate actors. Researchers noted that all extensions were ultimately connected to a single coordinated network.Several extensions had also gained featured or verified status in both marketplaces, raising further concerns about the platforms’ screening processes.Koi Security recommends that affected users uninstall the extensions immediately, clear browser data to remove tracking identifiers, run a full malware scan, and monitor online accounts for unusual activity. A full review of installed extensions is also advised.The known malicious extensions include “Color Picker, Eyedropper, Geco colorpick,” “VPN Proxy to Unblock Discord Anywhere,” “Emoji keyboard online, copy&paste your emoji,” “Free Weather Forecast,” “Unlock Discord,” “Dark Theme, Dark Reader for Chrome,” “Volume Max, Ultimate Sound Booster,” “Unblock TikTok, Seamless Access with One-Click Proxy,” “Unlock YouTube VPN,” “Unlock TikTok,” and “Weather.”

Marketplace gaps and long-term risks: The incident underscores systemic weaknesses in browser extension governance. Google and Microsoft’s verification processes failed to detect the malware, even as some of the extensions received promotional placement and trust badges.”Attackers have successfully exploited every trust signal users rely on, verification badges, install counts, featured placement, years of legitimate operation, and positive reviews,” said Dardikman. “These credibility mechanisms were turned against the users.”Chauhan added that platform-level changes are necessary. “Static analysis and manual reviews can’t keep up with today’s threats. To prevent similar campaigns, Google and Microsoft must invest in dynamic analysis, real-time extension monitoring, and more transparent update processes. Strengthening these areas is essential to restoring user trust.”

A broader security wake-up call: Researchers describe the campaign as a turning point for browser security. Rather than relying on quick-win attacks, threat actors behind RedDirection developed a patient, long-game infrastructure, allowing them to slip under detection for years before activating the malware.The timing is also notable. The exposure of the campaign comes just days after MITRE added “IDE Extensions” as a new category in its ATT&CK framework, drawing attention to growing threats within third-party software ecosystems.”If browser extensions that pass every trust test can flip into malware overnight, the security model for managing them needs to change,” Dardikman said in the blog post.

First seen on csoonline.com

Jump to article: www.csoonline.com/article/4019477/verified-featured-and-malicious-reddirection-campaign-reveals-browser-marketplace-failures.html