Security researchers at Koi Security have uncovered a disturbing campaign called RedDirection, in which 18 previously harmless Chrome and Edge extensions were updated to include hidden Trojan. This operation has compromised over 2.3 million users by turning these extensions into tools for redirecting traffic, hijacking data, and maintaining persistent control—all without users’ knowledge.
Extensions Switched Sides After Updates
The extensions began as fully functional tools—such as color pickers, volume boosters, and weather services—with legitimate codebases that earned high user ratings, verified badges, and store promotions. Then, during a routine version update, attackers injected a Trojan component that activated bad behavior the instant users installed the new version.
“Due to how Google and Microsoft handle browser extension updates, these malicious versions auto-installed silently,” the report explains.
“No phishing. No social engineering. Just trusted extensions with quiet version bumps that turned productivity tools into surveillance malware.”
One such extension, “Color Picker, Eyedropper – Geco colorpick,” was singled out for now functioning as both a useful utility and a covert Trojan. According to Koi Security:
“This is a carefully crafted Trojan horse… tracking every website you visit, and maintaining a persistent command and control backdoor.”
Despite their legitimate functionality, these corrupted extensions silently monitored user activity. Each time a user visited a website, the malware captured the URL, communicated with a remote command-and-control server, and could redirect users to phishing sites or prompt fake software updates.
Massive Scope, Sophisticated Tactics
The RedDirection campaign stands out due to its scale and sophistication. With over 2.3 million installations, it’s among the largest known browser hijacking operations. The attackers managed to operate under multiple extension names and domains to evade store detection, all while using centralized infrastructure to manage the campaign.
The threat remains significant even though the extensions have been removed from the Chrome and Edge stores. Many attacker-owned domains remain active, and dormant extensions—so-called “sleeper agents”—may still be lurking, poised for activation in future surges.
Enterprise Risks and User Exposure
This type of threat poses serious risks for businesses. An infected extension on a corporate device can enable attackers to initiate targeted phishing campaigns, intercept login credentials, or misdirect employees to payloads.
Enterprise users should take immediate action:
- Delete any extensions that are not essential or recently updated.
- Clear browser history, cookies, and site data to remove hidden session tokens.
- Run full antivirus scans to detect residual threats.
- Reset credentials accessed while the extension was installed.
- Enable two-factor authentication wherever possible.
- Perform regular audits of installed extensions, as even trusted tools can turn rogue after updates.
Malwarebytes’ advice echoes the gravity of the situation:
“If an extension asks for additional permissions after an update, that’s a good reason to look closely at what it requires.”
The Bigger Picture for Browser Security
The RedDirection campaign underscores a broader security challenge: browsers—and their extensions—are powerful tools but can become attack vectors overnight. Organizations and IT teams must implement strict controls on allowed extensions, enforce review processes, and apply network-based filtering or endpoint controls.
Browser-based threats are just one part of a larger attack surface. Without robust backup and recovery measures—including protection against tampered browser states—companies are vulnerable to persistent compromise.
Ensuring the integrity of user environments goes hand in hand with strong data resilience strategies. In the event any changes occur, enterprises need reliable, immutable backups to reset systems securely and confidently.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
