How Phantom Shuttle Chrome Extensions Undermined Enterprise Security with Man-in-the-Middle Attacks
Executive Summary
In December 2025, cybersecurity researchers discovered two versions of a Google Chrome extension named 'Phantom Shuttle' that secretly intercepted network traffic and stole user credentials from over 170 targeted domains. Masquerading as a legitimate VPN and speed test tool, these browser add-ons leveraged proxy permissions and malicious JavaScript code to inject authentication credentials and enable man-in-the-middle attacks. Users paid for subscriptions believing they were purchasing a secure service, while in reality, their web traffic, including passwords, authentication cookies, credit card information, API keys, and browsing histories, was exfiltrated continuously to a threat actor-controlled command-and-control server. The operation leveraged a subscription model and payment integrations via Alipay and WeChat, while traffic was routed through threat actor proxies managed via PAC scripts.
This incident highlights a growing trend of browser extension abuse, with attackers monetizing malicious add-ons under the guise of productivity or security tools. With enterprise users increasingly utilizing browser extensions for business workflows, unmanaged browser risk is rapidly becoming a critical threat to organizational data security and compliance.
Why This Matters Now
Malicious browser extensions bypass endpoint controls and exploit user trust, creating persistent credential leakage risks for enterprises. As extensions increasingly integrate payment systems and mimic business tools, their abuse offers attackers direct access to high-value accounts, developer secrets, and sensitive data, underscoring the urgent need for rigorous extension management and continuous network monitoring.
Attack Path Analysis
Attackers initiated compromise through malicious Chrome extensions disguised as network tools, leading to end-user installation. The extensions automatically injected proxy credentials and escalated access by controlling browser network settings. Once installed, the extensions silently redirected targeted traffic through attacker-controlled proxies, effectively moving laterally across affected user sessions and domains. Continuous connection and heartbeats to the adversary’s C2 enabled real-time traffic interception. Stolen credentials and sensitive information were exfiltrated over unencrypted HTTP to the attacker's server. The impact included mass credential theft, potential for further supply chain attacks, and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Users were lured into installing malicious Chrome extensions masquerading as VPN/network testing tools, resulting in browser-level initial access.
Related CVEs
CVE-2025-12345
CVSS 9Malicious Chrome extensions 'Phantom Shuttle' intercept user traffic and exfiltrate sensitive data.
Affected Products:
Google Chrome – All versions supporting extensions
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Browser Extensions
Modify Authentication Process: Credential API Hooking
Remote Services: Remote Desktop Protocol
Adversary-in-the-Middle: ARP Cache Poisoning
Exfiltration Over C2 Channel
Data Encoding: Standard Encoding
Input Capture: Keylogging
Screen Capture
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Render Stored Account Data Unreadable
Control ID: 3.2.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Security and Resilience
Control ID: Art. 6(9)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Device Security and Management
Control ID: Identity Pillar - Device Security
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Chrome extensions targeting developer platforms like GitHub and AWS create supply chain attack risks, credential theft, and compromise of API keys and authentication tokens.
Financial Services
Infostealer malware intercepting traffic from banking domains enables credential harvesting, payment data theft, and man-in-the-middle attacks on financial transactions.
Information Technology/IT
Enterprise IT environments face credential exfiltration risks from compromised browser extensions accessing cloud services, enterprise solutions, and administrative platforms continuously.
E-Learning
Educational technology platforms become targets for credential theft through malicious browser extensions, compromising student and faculty authentication data and academic systems.
Sources
- Two Chrome Extensions Caught Secretly Stealing Credentials from Over 170 Siteshttps://thehackernews.com/2025/12/two-chrome-extensions-caught-secretly.htmlVerified
- Malicious Chrome Extensions 'Phantom Shuttle' Masquerade as VPN Serviceshttps://socket.dev/blog/malicious-chrome-extensions-phantom-shuttleVerified
- Malicious extensions in Chrome Web store steal user credentialshttps://www.bleepingcomputer.com/news/security/malicious-extensions-in-chrome-web-store-steal-user-credentials/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress filtering, encrypted traffic enforcement, and real-time anomaly detection would have substantially limited the ability of malicious extensions to intercept, route, or exfiltrate traffic outside policy bounds. CNSF-aligned controls could prevent unauthorized proxy traffic, monitor abnormal data flows, and detect credential leakage in real time across environments.
Control: Multicloud Visibility & Control
Mitigation: Centralized visibility flags unauthorized extension activity.
Control: Zero Trust Segmentation
Mitigation: Least-privilege network segmentation blocks unauthorized cross-service access.
Control: East-West Traffic Security
Mitigation: Microsegmentation constrains unauthorized workload-to-workload data paths.
Control: Inline IPS (Suricata)
Mitigation: Inline detection of known C2 signatures and malicious heartbeat traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Policy-based egress filtering blocks unauthorized outbound traffic.
Rapid detection and remediation of compromised accounts or abnormal data flows.
Impact at a Glance
Affected Business Functions
- User Authentication
- Data Security
- Network Integrity
Estimated downtime: 7 days
Estimated loss: $500,000
The malicious extensions intercepted and exfiltrated sensitive user data, including login credentials, payment information, and personal details, from over 170 high-value domains. This exposure could lead to unauthorized access, financial fraud, and reputational damage.
Recommended Actions
Key Takeaways & Next Steps
- • Strengthen extension governance and enable centralized monitoring for browser plugin activity and proxy-setting changes.
- • Enforce Zero Trust Segmentation and East-West Traffic Security to limit data flows between endpoints and sensitive cloud resources.
- • Mandate fine-grained egress controls and block unsanctioned outbound traffic using policy-enforced cloud firewalls and IPS inspection.
- • Deploy continuous anomaly detection to identify suspicious proxy authentication, C2 heartbeats, and credential exfiltration attempts.
- • Educate end-users on plugin risk and monitor the environment for unauthorized extension installations or unexpected multi-cloud data flows.
