How Malicious Chrome and Edge Extensions Hijacked Users
A massive browser security breach has compromised over 2.3 million Chrome and Edge users, after once-trusted extensions quietly turned into Trojan spyware. According to Cybernews, malicious Chrome and Edge extensions received stealth updates that allowed them to track browsing activity, steal data, and redirect users to phishing websites—all without user interaction.
Security firm Koi Security discovered the threat, naming the coordinated operation RedDirection. These extensions weren’t flagged at first; in fact, some had Google verification, high ratings, and years of clean performance history before turning hostile.
How Malicious Chrome and Edge Extensions Operated
The attackers didn’t rely on phishing emails or suspicious downloads. Instead, they used a quiet version update—a normal browser feature—to push malicious code into popular tools. These updates were automatically installed without any warnings.
“No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware,” Koi researchers stated.
The extensions continued functioning as promised—whether for color picking, video control, or emoji keyboards—but also ran background scripts that monitored user activity and forwarded browsing data to external servers.
Every time users visited a website, the Trojan would:
- Capture the original URL
- Tag it with a unique identifier
- Send it to a command-and-control server
- Receive a fake redirect URL
- Automatically send the user to a phishing or malware page
List of Malicious Chrome and Edge Extensions
Koi Security provided the names of all malicious Chrome and Edge extensions involved. Here is the full list:
Chrome:
- Emoji keyboard online – copy\&paste your emoji
- Free Weather Forecast
- Video Speed Controller – Video Manager
- Unlock Discord – VPN Proxy
- Dark Theme – Dark Reader for Chrome
- Volume Max – Ultimate Sound Booster
- Unblock TikTok – One-Click Proxy
- Unlock YouTube VPN
- Color Picker, Eyedropper – Geco colorpick
- Weather
Edge:
- Unlock TikTok
- Volume Booster – Increase your sound
- Web Sound Equalizer
- Header Value
- Flash Player – Games Emulator
- YouTube Unblocked
- SearchGPT – ChatGPT for Search Engine
- Unlock Discord
These tools appeared legitimate, operated under different developer names, and targeted users looking for productivity and entertainment features.
What to Do If You Installed Malicious Chrome and Edge Extensions
If you’ve used any of these extensions, take the following steps immediately:
- Uninstall the extensions from Chrome or Edge
- Clear your browser data, including cache and site settings
- Run a full system malware scan
- Check your online accounts for suspicious logins
- Review all browser extensions and remove anything unrecognized
“Even a safe-looking tool can become dangerous. Review your extensions regularly,” advised Koi Security.
Although the malicious extensions have now been pulled from official stores, some of their domains are still active, distributing similar tools.
Why Malicious Chrome and Edge Extensions Are a Growing Threat
This incident shows how easy it is for bad actors to exploit browser extension systems. Since Chrome and Edge allow automatic updates, an extension that is safe today may not be tomorrow.
Verification processes by both Google and Microsoft failed to detect these changes. The result is a global surveillance threat that reached millions before discovery.
Final Thoughts
The malicious Chrome and Edge extensions behind the RedDirection campaign demonstrate the hidden risks of browser add-ons. For users, this is a wake-up call: don’t assume an extension is safe just because it’s popular or verified.
Regularly audit your browser, use trusted antivirus software, and avoid installing extensions unless absolutely necessary.
