Insights
RedDirection: 18 extensions, millions of browsers compromised
An active campaign, identified asRedDirection, has compromised over2.3 million usersthrough Chrome and Edge browser extensions.
- By Salvador
- 10 Jul, 2025
An active campaign, identified asRedDirection, has compromised over2.3 million usersthrough Chrome and Edge browser extensions.
No advanced malware was needed. No zero-day vulnerabilities. Just legitimate extensions, available in official stores, that were updated withmalicious code, without triggering alerts or early detection.
From Useful to Hostile: The Silent Shift
These extensions were functional and popular—common tools like color pickers or translators that passed all initial reviews. But after building a user base, they beganexfiltrating traffic,redirecting sessions, andcommunicating with remote servers.
According to researchers fromCybernewsand entities such asSingapore’s National SOC (CSA):
- They monitored URLs and browsing patterns in real time.
- Transmitted data to C2 infrastructure without encryption.
- Allowed attackers to disrupt user navigation via redirects.
The most downloaded extension,“Color Picker, Eyedropper – Geco colorpick”, hadover 700,000 installationsand even carried a verified badge.
Automated Trust: The Achilles’ Heel
No popups. No suspicious clicks. Just asilent update.An automated action that enabled attackers to bypass traditional controls andevade detection systems.
SOC teams relying solely onstatic signaturesorpublic IOC listsmay have completely missed this behavior.This case is a clear example of why we need to evolve toward strategies capable ofdetecting & disruptingeven seemingly benign behavior.
What We Know — and Why It Matters
There was no ransomware. No evidence of mass credential theft.But there was aclear pattern of ad fraud, data harvesting, and global abuse of user trust.
Some of the identified extensions:
Browsers Under Siege: What You Can Do
For individual users:
- Remove unused or threat-listed extensions.
- Review the permissions each extension requests.
- Use browsers that support process isolation or behavioral detection.
For SOCs and analysts:
- Implement extension control policies (whitelisting) and maintain visibility over installations.
- Monitor unusual outbound requests from browsers.
- Correlate web activity with network and endpoint logs for deeper defense.
The Browser as an Attack Vector. RedDirection as a Warning Sign
RedDirection is not an isolated case, it’s awake-up call.Browsers are the entry point to modern systems:SaaS, VPNs, internal tools. And every unsupervised extension is apotential abuse vector.
This campaign didn’t compromise full infrastructures, but it showed howmillions of users can unknowingly become part of a manipulated network.
Because while the user sees a tool…The attacker sees a point of entry.
- 1742 Views
