ShadyPanda Malware Affects Over 4.3 Million Users of Long-Running Spyware
Security firm Koi Security revealed that the malicious activity “ShadyPanda,” which is related to the Infinity New Tab (Pro) extension, has accumulated over 4.3 million installations through approximately 145 browser extensions disguised as wallpapers and productivity tools on Google Chrome and Microsoft Edge. The extensions, published under the name Starlab Technology, including “WeTab New Tab” and “Infinity New Tab (Pro),” are still available on the Edge store and continue to collect user behavior data.
These extensions have full browser permissions, allowing them to load and execute any JavaScript code from a remote server on an hourly basis. They are used to steal sensitive data such as browsing history, search queries, keyboard input, click behavior, and fingerprint information, which is then encrypted and sent to an external server.
On December 2, the WeTab / Infinity product team released a statement in response to allegations by a foreign security company that linked Clean Master, WeTab, Infinity, and other browser extensions to malicious activity. The company stated that the malicious update pushed to Clean Master in 2024 was not published by the original team.
According to the statement, the Chrome version of Clean Master has been entirely sold to a third party, and the company no longer has any control over it. The Edge version was actively removed in 2024. WeTab and Infinity extensions were developed and operated independently by the company team, with a completely different code architecture from the early Clean Master. An internal security audit did not find any malicious behavior. The two extensions are currently temporarily removed from the store due to the impact on the developer account caused by the Clean Master event, and the company is actively communicating to restore them.