An active campaign, identified as RedDirection, has compromised over 2.3 million users through Chrome and Edge browser extensions.
No advanced malware was needed. No zero-day vulnerabilities. Just legitimate extensions, available in official stores, that were updated with malicious code, without triggering alerts or early detection.
From Useful to Hostile: The Silent Shift
These extensions were functional and popular—common tools like color pickers or translators that passed all initial reviews. But after building a user base, they began exfiltrating traffic, redirecting sessions, and communicating with remote servers.
According to researchers from Cybernews and entities such as Singapore’s National SOC (CSA):
- They monitored URLs and browsing patterns in real time.
- Transmitted data to C2 infrastructure without encryption.
- Allowed attackers to disrupt user navigation via redirects.
The most downloaded extension, “Color Picker, Eyedropper – Geco colorpick”, had over 700,000 installations and even carried a verified badge.
Automated Trust: The Achilles’ Heel
No popups. No suspicious clicks. Just a silent update.
An automated action that enabled attackers to bypass traditional controls and evade detection systems.
SOC teams relying solely on static signatures or public IOC lists may have completely missed this behavior.
This case is a clear example of why we need to evolve toward strategies capable of detecting & disrupting even seemingly benign behavior.
What We Know — and Why It Matters
There was no ransomware. No evidence of mass credential theft.
But there was a clear pattern of ad fraud, data harvesting, and global abuse of user trust.
Some of the identified extensions:
| Extension | Browser | Downloads |
|---|---|---|
| Color Picker, Eyedropper – Geco colorpick | Chrome | 700,000+ |
| Web Developer Helper | Edge | 300,000+ |
| Screenshot Tool | Chrome & Edge | 500,000+ |
Browsers Under Siege: What You Can Do
For individual users:
- Remove unused or threat-listed extensions.
- Review the permissions each extension requests.
- Use browsers that support process isolation or behavioral detection.
For SOCs and analysts:
- Implement extension control policies (whitelisting) and maintain visibility over installations.
- Monitor unusual outbound requests from browsers.
- Correlate web activity with network and endpoint logs for deeper defense.
The Browser as an Attack Vector. RedDirection as a Warning Sign
RedDirection is not an isolated case, it’s a wake-up call.
Browsers are the entry point to modern systems: SaaS, VPNs, internal tools. And every unsupervised extension is a potential abuse vector.
This campaign didn’t compromise full infrastructures, but it showed how millions of users can unknowingly become part of a manipulated network.
Because while the user sees a tool…
The attacker sees a point of entry.
