This post is also available in:
עברית (Hebrew)
A widespread browser hijacking campaign has quietly infected millions of users by exploiting trusted Chrome and Edge extensions. Security researchers from Koi Security have uncovered a coordinated operation — named RedDirection — in which 18 browser extensions, previously considered safe and even verified, were silently updated to include harmful code.
According to the report, the affected extensions, which include tools for color picking, video control, emoji input, and VPN access, initially functioned as expected. For months — in some cases years — their code remained clean. But after a version update, they transformed into Trojan-like malware without any user interaction or visible prompts.
Some of the extensions named in the report had previously held a Google verification badge, hundreds of positive reviews, and even featured placement in the Chrome Web Store. Their transformation into a malicious tool was unnoticed by users and undetected by platform security mechanisms.
Once updated, the extensions began to monitor browser activity in real-time. Each time a user opened a website, the extension captured the original URL and sent it — along with a unique identifier — to a remote command-and-control server. If instructed, the extension would then redirect the user to a phishing or malicious site, potentially stealing credentials or installing additional malware.
Importantly, the extensions retained full functionality, continuing to provide their advertised features. This dual behavior made detection by users unlikely and enabled attackers to exploit a large install base undisturbed.
Researchers highlighted that the malicious updates were distributed through the standard extension update process, with no phishing or user manipulation involved. As a result, even cautious users who installed only highly-rated, well-reviewed tools were exposed.
All 18 extensions have now been removed from the Chrome and Edge web stores, but some associated domains remain active. Koi Security advises users to immediately uninstall any of the listed extensions, clear browser data, run system-wide malware scans, and review all installed browser add-ons for suspicious activity.
