🕵️‍♂️ What Happened?

Cybersecurity researchers from Koi Security have exposed “Operation RedDirection”, a massive surveillance campaign involving 18 browser extensions with over 2 million installs across Google Chrome and Microsoft Edge.

These extensions disguised themselves as useful tools—such as weather apps, emoji keyboards, and VPNs. Once widely adopted, they received silent updates injecting malicious code to spy on users and redirect web traffic.

🎯 How the Attack Works

1. User installs a seemingly legitimate browser extension.
2. Later, it receives a background update with hidden malicious code.
3. The extension begins to collect URLs and unique identifiers from every page visit.
4. This data is sent to external command-and-control (C&C) servers.
5. The server can then redirect users to phishing sites or malicious downloads.

Impact: Around 1.7 million Chrome users and 600,000 Edge users may have been affected—making it one of the largest known browser hijacking cases.

✅ What Should You Do Now?

1. Remove Suspicious Extensions Immediately:

• Emoji Keyboard Online
• Free Weather Forecast
• Unlock Discord
• Dark Theme
• Volume Max / Volume Booster
• Unblock TikTok / Unlock TikTok
• Unlock YouTube VPN / YouTube Unblocked
• SearchGPT / Geco Colorpick / Web Sound Equalizer
• Flash / Flash Player / Header Value

2. Clear Your Browser Data:

Delete cookies, cached files, local storage, and site data to wipe tracking remnants.

3. Run a Full Antivirus Scan:

Use a trusted tool like Malwarebytes to detect and remove threats.

4. Secure Your Online Accounts:

Change all passwords, enable 2FA, and monitor for unusual account activity.

5. Reset Your Browser Settings:

Revert your homepage, search engine, and remove any unknown toolbars or plugins.

6. Stay Vigilant:

Be cautious with extensions asking for excessive permissions. Regularly audit your installed add-ons.

📋 Technical SEO Recap

• Threat: 18 browser extensions with 2.3M+ downloads spying on users via stealth updates.
• How: They collect URLs and unique user data, then send it to attackers.
• Impact: 1.7M Chrome users and 600K Edge users affected.
• Action: Remove the listed extensions, clear browser data, run scans, enable 2FA, and review your extensions list.

🤝 Want the Full Details?

To explore the full technical breakdown, list of affected extensions, and official guidance, visit the original article on Malwarebytes’ blog:

👉 Read the full Malwarebytes article here

Don’t wait—check your browser extensions and take action now.