How Spin.AI’s Researchers Uncovered 14.2 Million More Victims in the RedDirection Browser Extension Attack Campaign

The browser extension ecosystem just experienced one of its most sophisticated attacks to date. What began as an initial malicious extension discovery by Koi Security has evolved into a much broader picture of the RedDirection campaign. New evidence uncovered by Spin.AI reveals the true scope of this browser-based attack and demonstrates why organizations need specialized tools to protect themselves.

The Initial Discovery: A Single Extension Reveals a Massive Campaign

The investigation began with what seemed like a routine analysis of a “verified” malicious extension called “Color Picker, Eyedropper – Geco colorpick.” However, this single discovery was just the tip of the iceberg. This research uncovered the RedDirection campaign, a sophisticated cross-platform network of 18 malicious extensions spanning both Chrome and Microsoft Edge stores, affecting over 2.3 million users.

RedDirection’s Approach

The attackers demonstrated remarkable sophistication in their approach. Rather than creating obviously malicious software, they developed extensions that masqueraded as popular productivity and entertainment tools: emoji keyboards, weather forecasts, video speed controllers, VPN proxies for Discord and TikTok, dark themes, volume boosters, and YouTube unblockers. These extensions provided legitimate functionality while secretly implementing browser surveillance and hijacking capabilities.

Impact Summary

The RedDirection campaign compromised legitimate browser extensions by injecting malware through routine updates, bypassing security measures since updates install automatically for millions of users. The malware created a comprehensive hijacking system that intercepted web traffic, redirected users to attacker-controlled sites, and used multiple subdomains to mask the centralized operation. This infrastructure enabled large-scale credential theft through fake banking pages, malware distribution via fake updates, and continuous monitoring of sensitive user data across millions of infected browsers.

Perhaps most concerning was how these extensions exploited every trust signal users typically rely on. Many achieved Google’s verified badge status, accumulated high install counts – with one exceeding 100,000 users and garnering over 800 positive reviews. They even secured featured placement in both the Chrome Web Store and Microsoft Edge Add-ons store.

Spin.AI’s Research Reveals True Scale of Attack

While initial findings were alarming, Spin.AI was able to reveal the attack’s true magnitude, which was much more extensive than initially thought. Leveraging our extensive, proprietary threat intelligence specific to applications and extensions, our researchers cross-referenced the Indicators of Compromise (IOCs) identified previously to uncover something far more extensive.

Our team’s analysis revealed an additional 18 Chrome extensions that were malicious, affecting approximately 14 million users, nearly seven times the number initially discovered.

This discovery wasn’t accidental. Spin.AI maintains one of the industry’s most comprehensive threat intelligence compilation of business applications and browser extensions, continuously monitoring for new security threats and suspicious patterns. When the RedDirection IOCs were identified, Spin researchers were able to correlate these indicators, revealing connections and patterns in additional extensions that might have otherwise remained hidden.

The additional malicious extensions identified by Spin.AI included popular tools like:

• 2048 Game
• Adblock Unlimited
• Image Downloader
• Super Mario Bros Game
• Video downloader
• Screen Capture
• Multi Chat – Messenger for WhatsApp
• Dark Mode for Chrome
• Auto HD & Additions for Youtube

[Scroll to bottom for complete list of newly discovered malicious apps and extensions with IOCs and relevant investigative data.]

Combined with initial findings, the RedDirection campaign ultimately compromised 36 unique malicious extensions, affecting approximately 16.5 million users worldwide.

The Broader Implications: Systemic Marketplace Failures

The RedDirection campaign exposes fundamental weaknesses in how major technology companies secure their extension marketplaces. Despite sophisticated verification processes, both Google and Microsoft failed to prevent these advanced threats, allowing millions of users to be compromised.

This failure highlights several critical issues:

Verification Process Limitations

Current marketplace verification focuses primarily on initial submission reviews rather than continuous monitoring of updates. The RedDirection attackers exploited this by introducing malicious code through updates to previously legitimate extensions.

Trust Signal Exploitation

The campaign demonstrated how attackers can systematically exploit every trust signal users rely on: verification badges, high install counts, positive reviews, and marketplace featuring. This suggests that current trust indicators may be insufficient for identifying sophisticated threats.

Security Blind Spot Amid Vast Threat Landscape

The automatic, silent installation of extension updates creates a massive attack surface that threat actors are increasingly exploiting. Users have limited visibility into what changes when extensions update, creating opportunities for malicious code injection.

Detection and Response Delays

The 98-day average time to patch or remove malicious extensions indicates that current threat detection and response mechanisms are inadequate for the scale and sophistication of modern attacks.

The Extended Risk Window: Why Patching Delays Matter

While all identified malicious extensions have now been updated with security patches, the timeline reveals a critical vulnerability in the extension ecosystem. On average, it took nearly 98 days (over three months) for these malicious extensions to be patched or removed from the Chrome Web Store.

This extended timeline created significant risk windows for organizations:

Data Exposure Risks

During the months between malicious updates and security patches, affected users were continuously monitored. Every website visit, every login attempt, and every sensitive business application access could have been captured and transmitted to attackers.

Credential Compromise

The man-in-the-middle capabilities meant that any authentication performed during the exposure period could have been intercepted. This includes not just personal accounts, but critical business systems, cloud services, and administrative interfaces.

Network Infiltration

For enterprise users, compromised browser extensions could serve as initial access vectors for broader network attacks. Attackers could potentially use hijacked browsers to probe internal systems, steal session tokens, or launch targeted attacks against business applications.

Compliance Implications

Organizations in regulated industries may face compliance challenges if sensitive data was accessed or transmitted during the exposure period. The extended timeline means that forensic investigations may be required to determine the full scope of potential data exposure.

Recommendations and Best Practices

The RedDirection campaign provides crucial lessons for both individual users and organizations. Here are our key recommendations:

Implement Comprehensive Extension Auditing

If you are not using a continuous monitoring tool to automatically gain visibility into deployed extensions and their associated risk levels, you can perform manual audits and research associated risks using Spin.AI’s Free Risk Assessment for apps or extensions your team is using.

• Maintain an inventory of all browser extensions used within your organization.
• Regularly audit extensions against known threat databases.
• Establish approval processes for new extension installations.
• Monitor extension update patterns for suspicious changes.

Deploy Specialized Security Tools

• Utilize platforms like Spin.AI that maintain comprehensive application and extension databases.
• Implement real-time monitoring for suspicious browser behaviors.
• Establish automated alerting for newly identified threats.
• Consider browser isolation technologies for high-risk users.

Conduct Forensic Investigations If your organization used any of the identified extensions during their malicious periods, perform comprehensive forensic investigations to:

• Identify potentially compromised accounts and systems.
• Review access logs for unusual patterns.
• Reset credentials for affected users.
• Monitor for ongoing compromise indicators.

Establish Response Protocols

• Develop incident response procedures specifically for browser extension compromises.
• Create communication plans for notifying affected users.
• Establish relationships with security research organizations.
• Plan for rapid extension removal and user remediation.

Moving Forward: The Need for Specialized Security Solutions Like SpinCRX

The RedDirection campaign demonstrates that traditional security approaches are insufficient for protecting against modern browser extension threats. Organizations need specialized solutions that can:

• Maintain comprehensive databases of applications and extensions.
• Provide real-time threat correlation and analysis.
• Offer rapid response capabilities when new threats emerge.
• Deliver business-focused risk assessments and remediation guidance.

Spin.AI’s ability to uncover seven times more victims than initially discovered illustrates the value of embedded research capabilities and more comprehensive threat intelligence. 

As browser extensions become increasingly central to business workflows, they bring with them a crucial challenge for enterprise security teams: the scale and complexity of modern application ecosystems make manual monitoring nearly impossible. This highlights the need for organizations to invest in security solutions that can match the sophistication and scale of modern attackers.

That’s why Spin.AI is releasing SpinCRX, a newly developed continuous monitoring solution for browser security that provides risk assessment, app and extension discovery and management, as well as a streamlined, risk-based approvals process for end users.

Comprehensive Coverage

Spin.AI tracks hundreds of thousands of applications and extensions across multiple platforms, maintaining detailed security profiles and behavioral analytics for each. This comprehensive coverage ensures that when new threats emerge, related risks can be identified across the entire ecosystem. Further, all subsequent versions released are analyzed separately, supporting investigations just like this one, where past versions of an app or extensions may have compromised organizations’ environments for a period of time without their knowledge. This is also extremely helpful for identifying instances where unpatched versions of malicious extensions are still running in an organization’s environment.

Advanced Correlation Capabilities

When security researchers identify new IOCs, our solutioncross-references these indicators against our entire database. This capability enabled us to uncover the additional 14 million affected users in the RedDirection campaign—victims that might have remained undetected using traditional security approaches.

Business-Focused Risk Assessment

Unlike consumer-focused security tools, SpinCRX is specifically designed for enterprise environments. We understand which applications and extensions are commonly used in business settings and can provide targeted risk assessments.

The browser extension ecosystem will continue to be a prime target for cybercriminals. Only through comprehensive monitoring, advanced threat correlation, and rapid response capabilities can organizations protect themselves against the next generation of browser-based attacks.

Newly Discovered Malicious Extensions

(All Listed Extensions are for Chrome Browser) 

Indicators of Compromise

Was this helpful?

Yes No