- “Phantom Shuttle” malicious Google Chrome extensions secretly redirect traffic through attacker-controlled proxy servers
- The extensions targeted Chinese users and collected credentials from 170 high-value domains.
- Google removed the plugins; Experts warn that browser add-ons remain a major security risk.
Security researchers recently discovered that two extensions for the Google Chrome browser were redirecting valuable traffic through compromised proxy servers and therefore sharing sensitive information with malicious third parties.
Socket said it found two extensions in the Chrome Web Store, called ‘Phantom Shuttle’. At first glance, these were advertised as add-ons to a proxy service, allowing users to proxy traffic and test network speeds, and were primarily aimed at Chinese users, such as foreign trade workers who need to test connectivity from different locations in the country.
The add-ons, which were first uploaded to the store in 2017, even had a price: a monthly subscription that cost between $1.40 and $13.60.
Removed from repository
However, in addition to doing what it said it would do, Phantom Shuttle also routed users’ web traffic through proxy servers owned by the threat actor, allowing them to obtain login credentials, payment card details, personal information, and more.
However, it did not divert all traffic. Instead, it listens to approximately 170 high-value domains, such as development platforms, cloud services consoles, social networking sites, and adult content portals, to ensure that only valuable information is collected.
Local networks and C2 domains were excluded from the list to ensure that the plugins do not raise any alarms. Google has since removed both extensions from the app store and searching for ‘Phantom Shuttle’ returns no results.
The Internet browser is the most important software on any modern computer and, as such, is a major target for cybercriminals. While most browsers in use today are relatively secure (Chrome, for example, only had eight zero-day vulnerabilities so far in 2025), plugins are something of a weak point, allowing creative criminals to introduce malicious code into the program.
This is why users are advised to be very careful when downloading and installing add-ons or extensions on their browsers.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
