Massive Browser Hijack: 2.3M Chrome & Edge Users Hit by Trojan Extensions

A massive browser hijacking campaign, dubbed RedDirection, has compromised over 2.3 million Google Chrome and Microsoft Edge users through 18 malicious extensions. Initially posing as legitimate productivity and entertainment tools, these extensions turned into Trojan horses via silent updates, exploiting user trust and bypassing verification processes. Here’s what you need to know about this cybersecurity threat, its impact, and how to stay safe.

The RedDirection Campaign: A Sophisticated Attack

Security researchers at Koi Security uncovered the RedDirection campaign, which involved 18 extensions that were once benign but later updated with malicious code. These extensions, including tools like “Color Picker, Eyedropper – Geco colorpick,” emoji keyboards, weather forecasts, and video speed controllers, had amassed hundreds of reviews and, in some cases, a Google-verified badge. Despite their legitimate functionality, they secretly hijacked browser sessions, tracked user activity, and maintained a backdoor to attacker-controlled servers

The campaign affected over 2.3 million users across Chrome and Edge, making it one of the largest browser hijacking operations documented. The extensions weren’t malicious from the start; some operated cleanly for years before a version update introduced malware. Due to automatic update mechanisms in Chrome and Edge, these malicious versions installed silently without user consent, requiring no phishing or social engineering.

How the Malware Operates

The malicious extensions activate with every new website visit, running scripts in the background to:

• Capture the URL of the visited website.

• Send it to a remote command-and-control (C2) server, along with a unique user identifier.

• Receive redirect instructions, potentially sending users to phishing sites mimicking legitimate services, such as fake bank login pages or fraudulent Zoom update prompts.

This man-in-the-middle capability allows attackers to steal credentials, deliver malware, or redirect users to malicious sites while the extensions continue to perform their advertised functions, like picking colors or boosting volume. Each extension operates with separate domains to appear independent, but all are linked to a centralized attack infrastructure.

Affected Extensions

Koi Security identified the following malicious extensions, urging users to remove them immediately:

Chrome:

• Emoji keyboard online – copy&paste your emoji

• Free Weather Forecast

• Video Speed Controller – Video Manager

• Unlock Discord – VPN Proxy to Unblock Discord Anywhere

• Dark Theme – Dark Reader for Chrome

• Volume Max – Ultimate Sound Booster

• Unblock TikTok – Seamless Access with One-Click Proxy

• Unlock YouTube VPN

• Color Picker, Eyedropper – Geco colorpick

• Weather

Edge:

• Unlock TikTok

• Volume Booster – Increase your sound

• Web Sound Equalizer

• Header Value

• Flash Player – games emulator

• Youtube Unblocked

• SearchGPT – ChatGPT for Search Engine

• Unlock Discord

While Microsoft has removed these extensions from the Edge Add-ons Store and disabled them for users, Google has yet to respond fully, and some extensions may still be active. Attacker-controlled domains linked to the campaign also continue to advertise malicious tools.

Why This Happened

The RedDirection campaign exploited weaknesses in browser extension update mechanisms. Both Google and Microsoft automatically push updates to users, which attackers leveraged to distribute malicious code without raising suspicion. Many extensions had built trust over time with positive reviews and featured placements, such as the Geco color picker with over 800 reviews and a 4.2-star rating. The failure of verification processes to detect these changes highlights gaps in browser store security.

This issue isn’t unique to Chrome and Edge. Any browser supporting extensions, including Firefox and Safari, can be targeted. Malicious actors often purchase or hijack popular extensions to exploit their established user base, turning trusted tools into “sleeper agents” for future attacks.

How to Protect Yourself

If you’ve installed any of the listed extensions, take immediate action to secure your data and device:

1. Remove Malicious Extensions: Open Chrome or Edge, navigate to Settings > Extensions, enable Developer Mode to view extension IDs, and remove any listed in the RedDirection campaign.

2. Clear Browser Data: Reset browsing history, cookies, cached files, and site data to eliminate tracking identifiers or stolen session tokens.

3. Reset Passwords: Change passwords for any accounts accessed while the extensions were installed, especially for sensitive services like banking. Use a reliable password manager to generate strong, unique passwords.

4. Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts where possible.

5. Run a Malware Scan: Use trusted antivirus software to check for additional infections.

6. Monitor Accounts: Watch for unauthorized access or suspicious activity, and be cautious of fake security alerts from scammers.

7. Review Permissions: Be skeptical of extensions requesting excessive permissions after updates. Only install extensions from verified developers and scrutinize reviews, as ratings can be manipulated.

8. Keep Software Updated: Ensure your browser and remaining extensions are up to date to patch known vulnerabilities.

Malwarebytes recommends resetting browser settings to undo unauthorized changes, such as altered search engines or homepages, and staying vigilant for signs of compromise.

The Bigger Picture

The RedDirection campaign underscores the growing threat of malicious browser extensions. With attackers exploiting trusted platforms and automatic updates, users must remain proactive in managing their browser security. The fact that these extensions evaded detection despite Google’s and Microsoft’s verification processes raises concerns about the safety of browser stores.

This incident also highlights the broader risk of supply chain attacks, where trusted software is weaponized to spread malware. Similar campaigns have targeted extensions since at least December 2024, with some affecting up to 3.2 million users. The potential for extensions to bypass security measures, like Google’s Manifest V3, further complicates the issue.

Looking Ahead

While Microsoft has taken swift action to remove the RedDirection extensions, Google’s slower response leaves users vulnerable. The persistence of attacker-controlled domains suggests the threat may evolve, with new extensions or campaigns emerging. Security experts warn that “sleeper agent” extensions could remain dormant for years before activating, making ongoing vigilance critical.

For now, users should treat browser extensions with caution, regularly review installed add-ons, and rely on reputable antivirus solutions. As hackers continue to exploit the trust in browser stores, staying informed and proactive is the best defense against these silent threats.

Have you checked your browser extensions recently? Share your thoughts on this massive hijack in the comments below!