A massive browser hijack malware campaign has compromised millions of Chrome and Edge users.
Popular extensions—some trusted for years—were secretly updated to spy on users and redirect them to malicious websites.
Researchers from Koi Security warn that at least 2.3 million people have already been affected.
The scale of this silent attack marks one of the biggest browser extension breaches to date.
Clean Code for Years—Until Everything Changed
The malicious campaign, named RedDirection, involved eighteen popular browser extensions.
These extensions started as harmless tools, offering useful features like color picking, emoji keyboards, or video speed control.
Some even carried Google’s Verified badge, glowing reviews, and high rankings in the Chrome Web Store.
For years, nothing appeared suspicious—until new updates quietly injected dangerous code.
Because Google and Microsoft allow silent extension updates, users were automatically compromised without any action on their part.
No phishing, no social engineering—just trusted tools turning into Trojan malware.
What Does the Browser Hijack Malware Do?
The infected extensions behave like normal.
They still pick colors, boost volume, and manage videos—exactly as promised.
But in the background, the malware tracks every website visited.
It collects the original URLs and sends them to an attacker-controlled server.
A command-and-control system can then redirect users to malicious sites at any moment.
These could be fake Zoom updates, cloned bank logins, or phishing pages aimed at stealing sensitive data.
One Attack, Multiple Extensions, Shared Infrastructure
Though each extension appeared unique, they shared a centralized attack infrastructure.
Separate domain names gave the illusion of different developers, masking the broader malicious operation.
Researchers say attackers can abuse this setup any time—silently hijacking browser sessions for fraud or cyberattacks.
The browser hijack malware campaign exploited the trust users placed in official web stores.
Verification processes failed, allowing malicious updates to bypass detection.
The Infected Extensions: What to Remove Immediately
Koi Security identified the following Chrome extensions in the attack:
- Emoji keyboard online – copy&paste your emoji
- Free Weather Forecast
- Video Speed Controller – Video Manager
- Unlock Discord – VPN Proxy
- Dark Theme – Dark Reader for Chrome
- Volume Max – Ultimate Sound Booster
- Unblock TikTok – Proxy
- Unlock YouTube VPN
- Color Picker, Eyedropper – Geco colorpick
- Weather
And the following Edge extensions:
- Unlock TikTok
- Volume Booster
- Web Sound Equalizer
- Header Value
- Flash Player Emulator
- YouTube Unblocked
- SearchGPT – ChatGPT for Search
- Unlock Discord
All affected extensions should be removed immediately.
How to Protect Yourself From Browser Hijack Malware
Deleting the malicious extensions is only the first step.
Users should also clear browser data, including cached links and stored identifiers.
Running a full malware scan can help identify other infections on the system.
Accounts linked to the affected browsers should be closely monitored for suspicious activity.
Experts warn that even trusted extensions can turn malicious after a simple update.
Users should regularly review installed add-ons and remove anything unnecessary.
The browser hijack malware incident shows that vigilance is key—even when using verified tools.
Conclusion
The browser hijack malware attack reveals how fragile trust can be in the browser ecosystem.
Millions were exposed through no fault of their own, simply by using tools they believed were safe.
Google, Microsoft, and other tech giants must strengthen extension verification and monitoring.
For users, careful extension management and digital hygiene are essential defenses.
As cybercriminals grow bolder, silent threats like this will only become more common.
Staying informed and cautious is the best protection against the next digital ambush.
0 responses to “Browser Hijack Malware Infects 2.3 Million Chrome and Edge Users”