high malicious update chromeedge

RedDirection

Legitimate, long-clean Chrome and Edge extensions turned malicious via routine auto-updates. Koi found 18 (~2.3M users); Spin.AI expanded the same campaign to 36 extensions and ~16.5M users.

Disclosed July 8, 2025

Blast radius ~16.5M users

Status delisted

Overview

RedDirection weaponized previously-clean browser extensions by pushing malware in routine version updates. The extension code was clean for years before the malicious update landed on the existing install base.

Payload

Captured the URL of every page visited and exfiltrated it with a unique tracking ID to a C2 server, enabling browser hijacking, redirection to attacker-controlled sites, and credential theft via fake banking pages.

IOC note

No file hashes were published for this campaign — only extension IDs and install counts. The exact malicious version per extension was not disclosed (malware was injected across updates), so versions are left open.

Affected extensions (36)

Name	Store	ID	Malicious version	Archived
2048 Game	chrome	iabflonngmpkalkpbjonemaamlgdghea	—	no
Adblock Unlimited - Adblocker	chrome	jiaopkfkampgnnkckajcbdgannoipcne	—	no
Image Downloader - Save pictures	chrome	daeljdgmllhgmbdkpgnaojldjkdgkbjg	—	yes
Web Music Downloader	chrome	dmbjkidogjmmlejdmnecpmfapdmidfjg	—	no
Super Mario Bros Game	chrome	pegfdldddiilihjahcpdehhhfcbibipg	—	no
Video downloader - download any video	chrome	kfpgookelklhphhnihipmknjdgbeecgj	—	no
Screen Capture	chrome	pmnphobdokkajkpbkajlaiooipfcpgio	—	no
Dictionary all over with Synonyms	chrome	ahjhlnckcgnoikkfkfnkbfengklhglpg	—	no
Multi Chat - Messenger for WhatsApp	chrome	dllplfhjknghhdneiblmkolbjappecbe	—	yes
Video Downloader Online	chrome	jglemppahimembneahjbkhjknnefeeio	—	no
PiP (Picture in picture)	chrome	nalkmonnmldhpfcpdlbdpljlaajlaphh	—	yes
Mute Tab - Silent in a click	chrome	inhefjomnpfkkegfklclbjhkifmpkkmn	—	no
Dark Mode for Chrome	chrome	jhhjdfldilccfllhlbjdlhknlfbhpgeg	—	no
Good Video Downloader	chrome	mhpcabliilgadobjpkameggapnpeppdg	—	no
Flash Player Enabler	chrome	eplfglplnlljjpeiccbgnijecmkeimed	—	no
Auto HD & Additions for Youtube	chrome	lagdcjmbchphhndlbpfajelapcodekll	—	no
What Font - find font	chrome	acpcapnaopbhbelhmbbmppghilclpkep	—	no
Floating Video with Playback Controls	chrome	pnanegnllonoiklmmlegcaajoicfifcm	—	yes
Emoji keyboard online	chrome	kgmeffmlnkfnjpgmdndccklfigfhajen	—	no
Free Weather Forecast	chrome	dpdibkjjgbaadnnjhkmmnenkmbnhpobj	—	no
Video Speed Controller - Video manager	chrome	gaiceihehajjahakcglkhmdbbdclbnlf	—	no
Unlock Discord - VPN Proxy	chrome	mlgbkfnjdmaoldgagamcnommbbnhfnhf	—	no
Dark Theme - Dark Reader for Chrome	chrome	eckokfcjbjbgjifpcbdmengnabecdakp	—	no
Volume Max - Ultimate Sound Booster	chrome	mgbhdehiapbjamfgekfpebmhmnmcmemg	—	no
Unblock TikTok	chrome	cbajickflblmpjodnjoldpiicfmecmif	—	no
Unlock YouTube VPN	chrome	pdbfcnhlobhoahcamoefbfodpmklgmjm	—	no
Color Picker, Eyedropper - Geco	chrome	eokjikchkppnkdipbiggnmlkahcdkikp	—	no
Weather	chrome	ihbiedpeaicgipncdnnkikeehnjiddck	—	no
Unlock TikTok	edge	jjdajogomggcjifnjgkpghcijgkbcjdi	—	no
Volume Booster - Increase your sound	edge	mmcnmppeeghenglmidpmjkaiamcacmgm	—	no
Web Sound Equalizer	edge	ojdkklpgpacpicaobnhankbalkkgaafp	—	no
Header Value	edge	lodeighbngipjjedfelnboplhgediclp	—	no
Flash Player - games emulator	edge	hkjagicdaogfgdifaklcgajmgefjllmd	—	no
Youtube Unblocked	edge	gflkbgebojohihfnnplhbdakoipdbpdm	—	no
SearchGPT - ChatGPT for Search Engine	edge	kpilmncnoafddjpnbhepaiilgkdcieaf	—	no
Unlock Discord	edge	caibdnkmpnjhjdfnomfhijhmebigcelo	—	no

Indicators of compromise (1)

domain

admitclick.net