Cybersecurity researchers identified two malicious Chrome extensions, both named Phantom Shuttle and published by the same developer, which have been available for download since 2017 and 2023 respectively. Marketed as multi-location network speed test tools targeting developers and foreign trade personnel, these extensions deceive users into subscribing for a VPN-like service. Upon subscription, the extensions activate a 'smarty' proxy mode that routes traffic from over 170 targeted domains—including major developer platforms (GitHub, Stack Overflow), cloud providers (AWS, Azure), enterprise services (Cisco, IBM), social media, and adult sites—through attacker-controlled proxies. The extensions inject hardcoded proxy credentials into every HTTP authentication challenge using the chrome.webRequest.onAuthRequired listener, bypassing user prompts and enabling transparent man-in-the-middle interception. This setup allows the attacker to capture and manipulate network traffic in real-time, stealing credentials, cookies, API keys, credit card data, and browsing history. Additionally, the extensions send a heartbeat every 60 seconds to a command-and-control server at phantomshuttle.space, exfiltrating VIP user emails, plaintext passwords, and version info every five minutes. The malicious code modifies bundled JavaScript libraries to facilitate these operations. The subscription payment system, integrated with Alipay and WeChat Pay, and hosting on Alibaba Cloud suggest a China-based threat actor. The inclusion of adult content sites likely serves as leverage for blackmail. The operation has persisted for eight years, highlighting the risk posed by unmanaged browser extensions in enterprise environments. The threat enables comprehensive data theft, session monitoring, and potential supply chain attacks through stolen developer secrets.

European organizations are at significant risk due to the extensive list of targeted domains that include widely used developer platforms, cloud infrastructure providers, and enterprise solutions critical to business operations. The interception and theft of credentials, API keys, and session tokens can lead to unauthorized access to corporate networks, cloud environments, and sensitive data repositories. This can result in data breaches, intellectual property theft, financial fraud, and disruption of services. The presence of social media and adult content sites in the proxy list increases the risk of reputational damage and blackmail attempts against individuals within organizations. The potential for supply chain attacks via stolen developer secrets could have cascading effects on software integrity and security across European industries. The subscription-based model also means that a persistent and possibly growing user base within Europe may be unknowingly compromised. The stealthy nature of the extensions, combined with their legitimate appearance and functionality, complicates detection and response efforts, increasing the likelihood of prolonged exposure and damage.

European organizations should immediately audit and remove the identified Phantom Shuttle extensions from all endpoints. Implement strict browser extension allowlisting policies to prevent installation of unauthorized or suspicious extensions, especially those requesting proxy permissions or involving subscription payments. Deploy endpoint detection solutions capable of monitoring browser extension behavior and network proxy configurations. Network teams should monitor for unusual proxy authentication attempts and inspect traffic for signs of man-in-the-middle interception, particularly targeting the domains listed in the threat. Employ network segmentation and zero trust principles to limit the impact of compromised credentials. Educate users about the risks of installing unverified extensions and subscribing to unknown services. Regularly review and revoke exposed credentials and API keys, and enforce multi-factor authentication on critical services. Collaborate with cloud and platform providers to detect anomalous access patterns that may indicate credential misuse. Finally, maintain updated threat intelligence feeds to identify emerging variants or related threats.