Blog

RedDirection: 18 extensions, millions of browsers compromised

An active campaign, identified as RedDirection, has compromised over 2.3 million users through Chrome and Edge browser extensions.

No advanced malware was needed. No zero-day vulnerabilities. Just legitimate extensions, available in official stores, that were updated with malicious code, without triggering alerts or early detection.


From Useful to Hostile: The Silent Shift


These extensions were functional and popular—common tools like color pickers or translators that passed all initial reviews. But after building a user base, they began exfiltrating traffic, redirecting sessions, and communicating with remote servers.

According to researchers from Cybernews and entities such as Singapore’s National SOC (CSA):

  • They monitored URLs and browsing patterns in real time.
  • Transmitted data to C2 infrastructure without encryption.
  • Allowed attackers to disrupt user navigation via redirects.

The most downloaded extension, “Color Picker, Eyedropper – Geco colorpick”, had over 700,000 installations and even carried a verified badge.


Automated Trust: The Achilles’ Heel


No popups. No suspicious clicks. Just a silent update.
An automated action that enabled attackers to bypass traditional controls and evade detection systems.

SOC teams relying solely on static signatures or public IOC lists may have completely missed this behavior.
This case is a clear example of why we need to evolve toward strategies capable of detecting & disrupting even seemingly benign behavior.


What We Know — and Why It Matters


There was no ransomware. No evidence of mass credential theft.
But there was a clear pattern of ad fraud, data harvesting, and global abuse of user trust.

Some of the identified extensions:

ExtensionBrowserDownloads
Color Picker, Eyedropper – Geco colorpickChrome700,000+
Web Developer HelperEdge300,000+
Screenshot ToolChrome & Edge500,000+

Browsers Under Siege: What You Can Do

For individual users:

  • Remove unused or threat-listed extensions.
  • Review the permissions each extension requests.
  • Use browsers that support process isolation or behavioral detection.

For SOCs and analysts:

  • Implement extension control policies (whitelisting) and maintain visibility over installations.
  • Monitor unusual outbound requests from browsers.
  • Correlate web activity with network and endpoint logs for deeper defense.


The Browser as an Attack Vector. RedDirection as a Warning Sign


RedDirection is not an isolated case, it’s a wake-up call.
Browsers are the entry point to modern systems: SaaS, VPNs, internal tools. And every unsupervised extension is a potential abuse vector.

This campaign didn’t compromise full infrastructures, but it showed how millions of users can unknowingly become part of a manipulated network.

Because while the user sees a tool…
The attacker sees a point of entry.

you may also like

Stay Informed. Stay Secure.

Subscribe to our newsletter.