In an increasingly connected world where digital privacy is paramount, thousands of users who sought protection through browser extensions found themselves ensnared in a sophisticated and long-running deception. Two malicious Chrome extensions, both operating under the name “Phantom Shuttle,” have been masquerading as legitimate VPN services since 2017, tricking over 2,180 users into installing software designed to intercept their web traffic and steal sensitive login credentials. Published through the Chrome Web Store by a threat actor using the email address theknewone.com@gmail[.]com, these extensions presented a convincing facade of a genuine utility. Victims, entirely unaware of the malicious code running in the background, believed they were using a tool to enhance their online security. Instead, their online activities were being meticulously monitored, with their credentials continuously siphoned off to attacker-controlled servers, demonstrating a stark reminder that even seemingly reputable tools can harbor hidden dangers. This operation highlights a critical vulnerability in the ecosystem of browser extensions, where trust can be easily exploited for nefarious purposes.
1. The Deceptive Facade and Hidden Dangers
The success of the Phantom Shuttle extensions hinged on an elaborate commercial illusion that lulled users into a false sense of security. The extensions were marketed not as traditional VPNs, but as specialized “multi-location network speed testing plugins” aimed at a niche audience of developers and Chinese trade workers. This specific targeting may have helped the extensions avoid broader scrutiny. To further enhance their legitimacy, the operators established a paid subscription model, with prices ranging from 9.9 to 95.9 yuan (approximately $1.40 to $13.50 USD). Users made payments through trusted and mainstream platforms, including Alipay and WeChat Pay, which added another layer of perceived authenticity. Upon subscribing, users received access to a functional proxy service that performed as advertised, conducting real latency tests and displaying accurate connection statuses. This operational functionality was the cornerstone of the deception, as it provided tangible value to the user while effectively hiding the devastating malicious activity occurring silently and continuously in the background, a perfect cover for a credential-harvesting operation.
While users were focused on the apparent benefits of the service they paid for, the extensions were systematically executing a complete interception of their internet traffic. This was not a passive monitoring operation; it was an active man-in-the-middle attack orchestrated within the user’s own browser. Every website visited, every form filled out, and every login attempt was captured. The malicious software was designed to monitor all online activity and continuously exfiltrate sensitive data, including usernames and passwords, directly to servers controlled by the attackers. The extensions maintained a persistent connection to a command-and-control (C2) server, ensuring a steady stream of stolen information. This covert data theft transformed a tool meant for privacy into a powerful surveillance machine, turning every user into an unwitting source of valuable credentials. The sheer volume of data collected over the years from thousands of victims underscores the severe and ongoing risk posed by such deceptive browser add-ons.
2. Unmasking the Technical Hijacking Mechanism
The core of the attack was a sophisticated credential injection mechanism designed to operate without any user knowledge or interaction. The extensions were programmed to automatically intercept every HTTP authentication request initiated by the browser across all websites. When a site prompted for a username and password, the extension would intervene before the user ever saw the request. It would then inject a set of hardcoded proxy credentials—specifically, the username topfany and the password 963852wei—into the authentication challenge. This action effectively redirected all of the user’s browsing traffic through the attackers’ own proxy servers. By forcing all data through their infrastructure, the attackers could decrypt, inspect, and log any information transmitted, including plaintext passwords, session cookies, and other sensitive personal data. This technique is particularly insidious because it does not require tricking the user into entering credentials on a fake page; it hijacks the legitimate authentication process itself, making it nearly impossible for a non-technical user to detect.
To evade detection by security researchers and automated scanners, the malicious code was cleverly hidden and obfuscated within the extension’s files. The core logic was embedded inside modified versions of common JavaScript libraries, specifically jquery-1.12.2.min.js and scripts.js, making it difficult to distinguish from legitimate code during a cursory analysis. Furthermore, the attackers employed a custom character-index encoding scheme to obfuscate the hardcoded proxy credentials, preventing simple text searches from revealing their presence. The extension registered a listener on the chrome.webRequest.onAuthRequired event, a powerful browser API that allows extensions to intercept and modify web requests. By using the asyncBlocking mode, the listener could respond to authentication challenges synchronously, ensuring the user had no opportunity to intervene or even become aware of the interception. This technical setup was complemented by a 60-second heartbeat function that communicated with the C2 server at phantomshuttle.space, regularly exfiltrating user email addresses and passwords in plaintext every five minutes for active users, ensuring a constant flow of stolen data.
A Call for Vigilance
The investigation into the Phantom Shuttle extensions revealed a long-standing and highly effective credential theft operation that remained active as of late 2025. In response to these findings, security analysts submitted formal takedown requests to Google’s Chrome Web Store security team to have the malicious extensions removed and prevent further installations. For those who had already installed either of the Phantom Shuttle variants, the recommended course of action was immediate and decisive. Users were strongly advised to uninstall the extensions without delay to halt any further data exfiltration. Following the removal, the most critical step was to change all passwords that had been used or saved in the browser while the extension was active. This included credentials for email, banking, social media, and any other online service, as all of them were considered compromised. This incident underscored the critical importance of scrutinizing browser extensions, even those available on official marketplaces, and served as a potent reminder of the hidden risks that can accompany seemingly useful digital tools.
