The browser extension ecosystem just experienced one of its most sophisticated attacks to date. What began as an initial malicious extension discovery by Koi Security has evolved into a much broader picture of the RedDirection campaign. New evidence uncovered by Spin.AI reveals the true scope of this browser-based attack and demonstrates why organizations need specialized tools to protect themselves.The Initial Discovery: A Single Extension Reveals a Massive CampaignThe investigation began with what seemed like a routine analysis of a “verified” malicious extension called “Color Picker, Eyedropper – Geco colorpick.” However, this single discovery was just the tip of the iceberg. This research uncovered the RedDirection campaign, a sophisticated cross-platform network of 18 malicious extensions spanning both Chrome and Microsoft Edge stores, affecting over 2.3 million users.RedDirection’s ApproachThe attackers demonstrated remarkable sophistication in their approach. Rather than creating obviously malicious software, they developed extensions that masqueraded as popular productivity and entertainment tools: emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers. These extensions provided legitimate functionality while secretly implementing browser surveillance and hijacking capabilities.Impact SummaryThe RedDirection campaign compromised legitimate browser extensions by injecting malware through routine updates, bypassing security measures since updates install automatically for millions of users. The malware created a comprehensive hijacking system that intercepted web traffic, redirected users to attacker-controlled sites, and used multiple subdomains to mask the centralized operation. This infrastructure enabled large-scale credential theft through fake banking pages, malware distribution via fake updates, and continuous monitoring of sensitive user data across millions of infected browsers.Perhaps most concerning was how these extensions exploited every trust signal users typically rely on. Many achieved Google’s verified badge status, accumulated high install counts – with one exceeding 100,000 users and garnering over 800 positive reviews. They even secured featured placement in both the Chrome Web Store and Microsoft Edge Add-ons store.Spin.AI’s Research Reveals True Scale of AttackWhile initial findings were alarming, Spin.AI was able to reveal the attack’s true magnitude, which was much more extensive than initially thought. Leveraging our extensive, proprietary threat intelligence specific to applications and extensions, our researchers cross-referenced the Indicators of Compromise (IOCs) identified previously to uncover something far more extensive.Our team’s analysis revealed an additional 18 Chrome extensions that were malicious, affecting approximately 14 million users, nearly seven times the number initially discovered.This discovery wasn’t accidental. Spin.AI maintains one of the industry’s most comprehensive threat intelligence compilation of business applications and browser extensions, continuously monitoring for new security threats and suspicious patterns. When the RedDirection IOCs were identified, Spin researchers were able to correlate these indicators, revealing connections and patterns in additional extensions that might have otherwise remained hidden.The additional malicious extensions identified by Spin.AI included popular tools like:2048 GameAdblock UnlimitedImage DownloaderSuper Mario Bros GameVideo downloaderScreen CaptureMulti Chat – Messenger for WhatsAppDark Mode for ChromeAuto HD & Additions for Youtube[Scroll to bottom for complete list of newly discovered malicious apps and extensions with IOCs and relevant investigative data.]Combined with initial findings, the RedDirection campaign ultimately compromised 36 unique malicious extensions, affecting approximately 16.5 million users worldwide.The Broader Implications: Systemic Marketplace FailuresThe RedDirection campaign exposes fundamental weaknesses in how major technology companies secure their extension marketplaces. Despite sophisticated verification processes, both Google and Microsoft failed to prevent these advanced threats, allowing millions of users to be compromised.This failure highlights several critical issues:Verification Process LimitationsCurrent marketplace verification focuses primarily on initial submission reviews rather than continuous monitoring of updates. The RedDirection attackers exploited this by introducing malicious code through updates to previously legitimate extensions.Trust Signal ExploitationThe campaign demonstrated how attackers can systematically exploit every trust signal users rely on: verification badges, high install counts, positive reviews, and marketplace featuring. This suggests that current trust indicators may be insufficient for identifying sophisticated threats.Security Blind Spot Amid Vast Threat LandscapeThe automatic, silent installation of extension updates creates a massive attack surface that threat actors are increasingly exploiting. Users have limited visibility into what changes when extensions update, creating opportunities for malicious code injection.Detection and Response DelaysThe 98-day average time to patch or remove malicious extensions indicates that current threat detection and response mechanisms are inadequate for the scale and sophistication of modern attacks.The Extended Risk Window: Why Patching Delays MatterWhile all identified malicious extensions have now been updated with security patches, the timeline reveals a critical vulnerability in the extension ecosystem. On average, it took nearly 98 days (over three months) for these malicious extensions to be patched or removed from the Chrome Web Store.This extended timeline created significant risk windows for organizations:Data Exposure RisksDuring the months between malicious updates and security patches, affected users were continuously monitored. Every website visit, every login attempt, and every sensitive business application access could have been captured and transmitted to attackers.Credential CompromiseThe man-in-the-middle capabilities meant that any authentication performed during the exposure period could have been intercepted. This includes not just personal accounts, but critical business systems, cloud services, and administrative interfaces.Network InfiltrationFor enterprise users, compromised browser extensions could serve as initial access vectors for broader network attacks. Attackers could potentially use hijacked browsers to probe internal systems, steal session tokens, or launch targeted attacks against business applications.Compliance ImplicationsOrganizations in regulated industries may face compliance challenges if sensitive data was accessed or transmitted during the exposure period. The extended timeline means that forensic investigations may be required to determine the full scope of potential data exposure.Recommendations and Best PracticesThe RedDirection campaign provides crucial lessons for both individual users and organizations. Here are our key recommendations:Implement Comprehensive Extension AuditingIf you are not using a continuous monitoring tool to automatically gain visibility into deployed extensions and their associated risk levels, you can perform manual audits and research associated risks using Spin.AI’s Free Risk Assessment for apps or extensions your team is using.Maintain an inventory of all browser extensions used within your organization.Regularly audit extensions against known threat databases.Establish approval processes for new extension installations.Monitor extension update patterns for suspicious changes.Deploy Specialized Security ToolsUtilize platforms like Spin.AI that maintain comprehensive application and extension databases.Implement real-time monitoring for suspicious browser behaviors.Establish automated alerting for newly identified threats.Consider browser isolation technologies for high-risk users.Conduct Forensic Investigations If your organization used any of the identified extensions during their malicious periods, perform comprehensive forensic investigations to:Identify potentially compromised accounts and systems.Review access logs for unusual patterns.Reset credentials for affected users.Monitor for ongoing compromise indicators.Establish Response ProtocolsDevelop incident response procedures specifically for browser extension compromises.Create communication plans for notifying affected users.Establish relationships with security research organizations.Plan for rapid extension removal and user remediation.Moving Forward: The Need for Specialized Security Solutions Like SpinCRXThe RedDirection campaign demonstrates that traditional security approaches are insufficient for protecting against modern browser extension threats. Organizations need specialized solutions that can:Maintain comprehensive databases of applications and extensions.Provide real-time threat correlation and analysis.Offer rapid response capabilities when new threats emerge.Deliver business-focused risk assessments and remediation guidance.Spin.AI’s ability to uncover seven times more victims than initially discovered illustrates the value of embedded research capabilities and more comprehensive threat intelligence. As browser extensions become increasingly central to business workflows, they bring with them a crucial challenge for enterprise security teams: the scale and complexity of modern application ecosystems make manual monitoring nearly impossible. This highlights the need for organizations to invest in security solutions that can match the sophistication and scale of modern attackers.That’s why Spin.AI is releasing SpinCRX, a newly developed continuous monitoring solution for browser security that provides risk assessment, app and extension discovery and management, as well as a streamlined, risk-based approvals process for end users.Comprehensive CoverageSpin.AI tracks hundreds of thousands of applications and extensions across multiple platforms, maintaining detailed security profiles and behavioral analytics for each. This comprehensive coverage ensures that when new threats emerge, related risks can be identified across the entire ecosystem. Further, all subsequent versions released are analyzed separately, supporting investigations just like this one, where past versions of an app or extensions may have compromised organizations’ environments for a period of time without their knowledge. This is also extremely helpful for identifying instances where unpatched versions of malicious extensions are still running in an organization’s environment.Advanced Correlation CapabilitiesWhen security researchers identify new IOCs, our solutioncross-references these indicators against our entire database. This capability enabled us to uncover the additional 14 million affected users in the RedDirection campaign—victims that might have remained undetected using traditional security approaches.Business-Focused Risk AssessmentUnlike consumer-focused security tools, SpinCRX is specifically designed for enterprise environments. We understand which applications and extensions are commonly used in business settings and can provide targeted risk assessments.The browser extension ecosystem will continue to be a prime target for cybercriminals. Only through comprehensive monitoring, advanced threat correlation, and rapid response capabilities can organizations protect themselves against the next generation of browser-based attacks.Newly Discovered Malicious Extensions(All Listed Extensions are for Chrome Browser) Extension NameExtension IDCompromised VersionsDate of CompromiseDate of PatchUser CountPatchDiscovered ByDuration Compromised2048 Gameiabflonngmpkalkpbjonemaamlgdghea1.3.7, 1.3.6, 1.3.54/18/20247/24/20241,000,0001.3.9Spin.AI97Adblock Unlimited – Adblockerjiaopkfkampgnnkckajcbdgannoipcne1.0.77/5/202411/6/202490,0001.0.8Spin.AI124Image Downloader – Save picturesdaeljdgmllhgmbdkpgnaojldjkdgkbjg1.2.3, 1.2.2, 1.2.15/7/20247/10/2024200,0001.2.4Spin.AI64Web Music Downloaderdmbjkidogjmmlejdmnecpmfapdmidfjg1.1.45/8/20247/16/2024500,0001.1.5Spin.AI69Super Mario Bros Gamepegfdldddiilihjahcpdehhhfcbibipg1.0.4, 1.0.35/8/20247/29/2024200,0001.0.5Spin.AI82Video downloader – download any videokfpgookelklhphhnihipmknjdgbeecgj0.4.405/18/202407/09/20241,000,0000.4.6Spin.AI52Screen Capturepmnphobdokkajkpbkajlaiooipfcpgio1.0.21, 1.0.1905/25/20247/21/2024700,0001.0.22Spin.AI57Dictionary all over with Synonymsahjhlnckcgnoikkfkfnkbfengklhglpg0.1.5.405/25/20247/29/2024400,0000.1.5.5Spin.AI65Multi Chat – Messenger for WhatsAppdllplfhjknghhdneiblmkolbjappecbe1.1.12, 1.1.116/22/20247/22/20242,000,0001.1.13Spin.AI30Video Downloader Onlinejglemppahimembneahjbkhjknnefeeio1.2.1005/24/20247/25/2024700,0001.2.11Spin.AI62PiP (Picture in picture)nalkmonnmldhpfcpdlbdpljlaajlaphh1.6.1, 1.6.0, 1.5.906/03/2024N/A800,000N/ASpin.AIN/AMute Tab- Silent in a clickinhefjomnpfkkegfklclbjhkifmpkkmn0.8.5, 0.8.4, 0.8.35/29/20243/17/202530,0000.8.7Spin.AI292Dark Mode for Chromejhhjdfldilccfllhlbjdlhknlfbhpgeg2.326/13/202412/24/20244,000,0002.33Spin.AI194Good Video Downloadermhpcabliilgadobjpkameggapnpeppdg1.76/13/20247/31/2024400,0001.8Spin.AI48Flash Player Enablereplfglplnlljjpeiccbgnijecmkeimed1.0.56/19/20247/2/2024300,0001.0.6Spin.AI13Auto HD & Additions for Youtubelagdcjmbchphhndlbpfajelapcodekll1.4.2, 1.4.11/6/20248/7/2024800,0001.4.3Spin.AI214What Font – find fontacpcapnaopbhbelhmbbmppghilclpkep5.4.47/9/20248/3/20241,000,0005.4.5Spin.AI25Floating Video with Playback Controlspnanegnllonoiklmmlegcaajoicfifcm1.77/31/20241/21/202580,0001.8Spin.AI174Indicators of CompromiseCommand and Control Infrastructureadmitab[.]comedmitab[.]comclick.videocontrolls[.]comc.undiscord[.]comclick.darktheme[.]netc.jermikro[.]comc.untwitter[.]comc.unyoutube[.]netadmitclick[.]netaddmitad[.]comadmiitad[.]comabmitab[.]comadmitlink[.]net Share this article Share this post on Linkedin Share this post on X Share this post on Facebook Share this post on Reddit Was this helpful? Yes No Submit Cancel Thanks for your feedback!