A sweeping malware operation dubbed the RedDirection campaign has compromised over 2.3 million Chrome and Edge users through 18 seemingly legitimate browser extensions, many of which carried “verified” status and featured placement on official extension marketplaces.
The campaign was uncovered by Koi Security during an investigation into a single extension, “Color Picker, Eyedropper — Geco colorpick.” Researchers discovered that although the tool functioned as advertised, it secretly hijacked browser activity, tracked visited websites, and communicated with remote command-and-control (C2) servers. Further analysis of code similarities and network infrastructure revealed a far-reaching operation that had quietly infiltrated millions of users across two major browser ecosystems.
Koi Security
Koi Security’s researchers found that the malware was not present in early versions of the extensions. These tools initially appeared benign, gaining user trust over months or even years through legitimate functionality and positive reviews. Only later did they receive updates that silently added malicious components, updates that were automatically installed due to how browser marketplaces handle extension versioning.
The core functionality of the malware revolves around browser hijacking triggered during tab updates. Embedded scripts in the extensions’ background service workers intercept page visits, send the URLs to remote servers such as admitclick.net, and redirect users based on attacker instructions. This allows for phishing, credential theft, and malware delivery.
The RedDirection campaign spans 18 extensions masquerading as productivity or entertainment tools. These include emoji keyboards, weather widgets, video speed controllers, VPNs for unlocking TikTok and Discord, and sound boosters. One of the compromised extensions, Volume Max – Ultimate Sound Booster, had already been highlighted in a previous report by LayerX.
That earlier report warned that the sound enhancement tools were acting as “sleeper agents,” silently communicating with domains like jermikro[.]com and awaiting remote commands. These extensions, which then had over 700,000 users, contained encrypted traffic, remote code execution capabilities, and links to known malware infrastructure. The overlap in infrastructure and techniques now connects those tools directly to the broader RedDirection operation.
Google’s Chrome Web Store and Microsoft’s Edge Add-ons marketplace both failed to detect or prevent the spread of these malicious extensions. Several were even granted verified status or featured placement, providing false assurance to users. The attackers used separate subdomains (e.g., click.videocontrolls.com, c.undiscord.com) for each extension, likely to obfuscate their centralized control structure and avoid detection.
Affected extensions include:
- Color Picker, Eyedropper — Geco colorpick
- Video Speed Controller — Video manager
- Unlock Discord — VPN Proxy
- Dark Theme — Dark Reader
- Volume Max — Ultimate Sound Booster
- Emoji Keyboard Online
- Unblock TikTok
- Unlock YouTube VPN
Users who installed these extensions should remove them from their browsers immediately, clear browsing data (cache and cookies), and run a full system scan with an up-to-date antivirus tool. Also, it is advised to monitor online accounts for signs of unauthorized activity.
Leave a Reply