Malicious Chrome Extensions “Phantom Shuttle” Masquerade as a VPN to Intercept Traffic and Exfiltrate Credentials

Socket's Threat Research Team discovered two malicious Chrome extensions named Phantom Shuttle, targeting developers and foreign trade personnel under the guise of a network speed testing tool. These extensions, active since at least 2017, lure users into paying for what appears to be a legitimate VPN service but instead perform malicious activities such as traffic interception, credential injection, and data exfiltration to a command-and-control (C2) server. The extensions use legitimate-looking interfaces and payment systems integrated with Alipay and WeChat Pay to create a facade of authenticity, while secretly routing user traffic through threat actor-controlled proxies and continuously transmitting user credentials to the C2 server. Despite their professional appearance and functionality, these extensions are designed to capture sensitive data, including passwords and session tokens, posing significant security risks to users and their organizations. The threat actor's infrastructure remains operational, and takedown requests have been submitted to Google's Chrome Web Store security team to mitigate the ongoing threat.