Cybersecurity company’s proprietary research uncovers a host of new compromised extensions impacting 7X more victims than previously thought in the RedDirection malicious attack campaign.PALO ALTO, CA, August 5, 2025 – Spin.AI, a leading provider of enterprise SaaS security solutions, today announced its research team has uncovered the true scope of the RedDirection campaign, a sophisticated browser extension attack that ultimately compromised 36 malicious extensions and affected 16.5 million users across Chrome and Microsoft Edge browsers, previously thought to impact just 2.3 million users. After the initial discovery of the RedDirection campaign was publicly announced, Spin.AI’s researchers identified an additional 18 malicious Chrome extensions affecting 14.2 million users—nearly seven times the number initially thought.Advanced Research Capabilities Reveal Hidden ThreatsSpin.AI’s discovery was made possible by one of the company’s proprietary Browser Security solutions, all of which leverage their extensive, proprietary threat intelligence for business applications and browser extensions. These solutions continuously monitor customers’ environments, providing visibility into shadow IT apps and extensions users have installed in their environments and identifying security threats across hundreds of thousands of applications. Spin.AI researchers cross-referenced the initial Indicators of Compromise (IOCs) against the proprietary threat intelligence data embedded in their browser security solutions, surfacing an additional 18 malicious Chrome extensions. This brings the total of impacted applications and extensions to 36, twice the number initially thought.“This discovery demonstrates the critical importance of having comprehensive visibility into the application ecosystem,” said Davit Asatryan, VP Product at Spin.AI. “Our proprietary solutions don’t just track applications – they provide the correlation capabilities necessary to uncover sophisticated threats that might otherwise remain hidden. In this case, our research revealed that the actual impact was seven times greater than initially understood.”The 18 additional malicious extensions identified by Spin.AI included popular tools such as Adblock Unlimited, Image Downloader, Screen Capture, and Dark Mode for Chrome. These extensions masqueraded as legitimate productivity tools while secretly implementing browser surveillance and hijacking capabilities. The company has published a comprehensive list of newly affected extensions.Sophisticated Attack Exploits Trust MechanismsThe RedDirection campaign employed advanced techniques that set it apart from typical malware operations. Attackers developed extensions that provided legitimate functionality while operating as persistent man-in-the-middle attacks. The extensions successfully exploited trust signals including Google’s verified badge status, hundreds of positive reviews, featured marketplace placement, and high install counts representing over 4 Million users for the apps discovered by the Spin.AI team. Critically, the extensions weren’t malicious from inception. Instead, malware was introduced through version updates, sometimes years after initial release, exploiting how browser updates are installed automatically and silently for millions of users. The malware included sophisticated browser hijacking mechanisms that captured URLs and sent data to remote command and control servers, creating massive persistent man-in-the-middle capabilities.Extended Exposure Creates Enterprise RiskSpin.AI’s analysis reveals that it took an average of nearly 98 days for malicious extensions to be patched or removed from the Chrome Web Store. This extended timeline created significant risk windows for organizations, during which every website visit, login attempt, and business application access could have been captured and transmitted to attackers.“The 98-day average response time highlights a critical gap in incident response SLA that organizations cannot ignore,” said CEO Dmitry Dontov. “For enterprises, where the landscape is too vast for manual investigation and response, this represents a fundamental security challenge that requires customized monitoring and immediate response capabilities. We are excited about the upcoming product release for SpinCRX, a tool designed to address this problem, specifically. In fact, our team was working on it when they uncovered the true depth of this attack campaign.”Industry Impact and RecommendationsThe campaign exposes systemic failures in marketplace security, demonstrating that current verification processes are insufficient for detecting sophisticated, evolving threats. For organizations, Spin.AI recommends immediate implementation of a comprehensive browser extension auditing process and forensic investigations for any organization that used identified extensions during their malicious periods. Organizations should immediately audit all browser extensions against the published IOCs and remove any identified malicious extensions.About Spin.AISpin.AI is a leading provider of enterprise SaaS security solutions, helping organizations protect their cloud application environments against emerging threats. The company’s comprehensive security platform combines advanced threat detection, extensive application intelligence, and proactive monitoring to secure enterprise SaaS ecosystems. Spin.AI’s research division maintains industry-leading threat intelligence for SaaS applications and browser extensions, maintaining risk scores, detailing security threats, and providing organizations with the intelligence necessary to stay ahead of evolving attack vectors.Media Contact:Lindsey Wattsmarketing@spin.ai Share this article Share this post on Linkedin Share this post on X Share this post on Facebook Share this post on Reddit Was this helpful? Yes No Submit Cancel Thanks for your feedback!