{ "type": "Domain", "indicator": "cleanmasters.store", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/cleanmasters.store", "alexa": "http://www.alexa.com/siteinfo/cleanmasters.store", "indicator": "cleanmasters.store", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 4156596161, "indicator": "cleanmasters.store", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 7, "pulses": [ { "id": "69309b3e092978cc7433b4c7", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. The actor's strategy evolved from simple affiliate fraud to sophisticated browser control and long-term trust building. The malware collects extensive user data, including browsing history, search queries, and mouse clicks, transmitting it to servers in China. The success of this campaign highlights vulnerabilities in browser marketplace security models and the potential for widespread exploitation through trusted update mechanisms.", "modified": "2025-12-04T11:14:51.532000", "created": "2025-12-03T20:19:10.190000", "tags": [ "browser extension", "malware campaign", "spyware", "chrome", "infinity v+", "clean master", "trust exploitation", "data exfiltration", "wetab", "edge", "rce backdoor" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [ "China" ], "malware_families": [ { "id": "Clean Master", "display_name": "Clean Master", "target": null }, { "id": "Infinity V+", "display_name": "Infinity V+", "target": null }, { "id": "WeTab", "display_name": "WeTab", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1559.002", "name": "Dynamic Data Exchange", "display_name": "T1559.002 - Dynamic Data Exchange" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386471, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69365605d86425fd196c00ef", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "", "modified": "2025-12-08T04:37:25.256000", "created": "2025-12-08T04:37:25.256000", "tags": [ "browser extension", "malware campaign", "spyware", "chrome", "infinity v+", "clean master", "trust exploitation", "data exfiltration", "wetab", "edge", "rce backdoor" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [ "China" ], "malware_families": [ { "id": "Clean Master", "display_name": "Clean Master", "target": null }, { "id": "Infinity V+", "display_name": "Infinity V+", "target": null }, { "id": "WeTab", "display_name": "WeTab", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1559.002", "name": "Dynamic Data Exchange", "display_name": "T1559.002 - Dynamic Data Exchange" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69309b3e092978cc7433b4c7", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "173 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69306b8ebef6b6cf4a4d203e", "name": "ACTIVIDAD MALICIOSA | Relacionada con ShadyPanda 03-12-2025", "description": "Una operaci\u00f3n de malware de larga duraci\u00f3n conocida como \"ShadyPanda\" ha acumulado m\u00e1s de 4.3 millones de instalaciones de extensiones de navegador Chrome y Edge aparentemente leg\u00edtimas que evolucionaron a malware", "modified": "2025-12-03T16:55:42.813000", "created": "2025-12-03T16:55:42.813000", "tags": [ "tcticas ta0001", "access ta0002", "tcnicas t1176", "t1040" ], "references": [ "https://www.virustotal.com/gui/collection/985fb4a35dd6e19dbdcef28a04c7b10a219c5e072f2ec8b22792b3dce6bf785e/iocs", "https://www.virustotal.com/graph/embed/g5cfd75f64e284f60accd4274a5816bbae070d9485411464484f12576faac4c2a?theme=light" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693049b364a5bc5b65a08ddb", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog", "description": "", "modified": "2025-12-03T14:31:15.649000", "created": "2025-12-03T14:31:15.649000", "tags": [ "shadypanda", "master", "chrome", "edge", "microsoft edge", "wetab", "rce backdoor", "featured", "javascript", "phase", "zhang", "baidu" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692fa630c8b1d4112447ae74", "name": "IOC - 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users.", "modified": "2025-12-03T02:53:36.279000", "created": "2025-12-03T02:53:36.279000", "tags": [ "chrome", "edge" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e512d2503374907819007", "name": "ShadyPanda\u2019s Hidden Malware Network Infects Over 4 Million Browsers", "description": "Back Koi researchers have uncovered a seven-year spyware campaign that has infected more than 4.3 million users of Google's Chrome and Microsoft's Edge web browsers, and is now being used by a Chinese threat actor.", "modified": "2025-12-02T02:38:37.978000", "created": "2025-12-02T02:38:37.978000", "tags": [ "shadypanda", "master", "chrome", "edge", "microsoft edge", "wetab", "rce backdoor", "featured", "javascript", "phase", "zhang", "baidu", "iocs c", "rce", "koidex" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE", "display_name": "RCE", "target": null }, { "id": "Koidex", "display_name": "Koidex", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "180 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign", "https://www.virustotal.com/graph/embed/g5cfd75f64e284f60accd4274a5816bbae070d9485411464484f12576faac4c2a?theme=light", "https://www.virustotal.com/gui/collection/985fb4a35dd6e19dbdcef28a04c7b10a219c5e072f2ec8b22792b3dce6bf785e/iocs" ], "related": { "alienvault": { "adversary": [ "ShadyPanda" ], "malware_families": [ "Wetab", "Infinity v+", "Clean master" ], "industries": [] }, "other": { "adversary": [ "ShadyPanda", "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer" ], "malware_families": [ "Koidex", "Infinity v+", "Clean master", "Rce", "Wetab" ], "industries": [] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 7, "pulses": [ { "id": "69309b3e092978cc7433b4c7", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "A threat actor named ShadyPanda has been identified as responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users. The campaign includes two active operations: a 300,000-user RCE backdoor and a 4-million-user spyware operation. ShadyPanda's extensions were featured and verified by Google, granting instant trust and massive distribution. The actor's strategy evolved from simple affiliate fraud to sophisticated browser control and long-term trust building. The malware collects extensive user data, including browsing history, search queries, and mouse clicks, transmitting it to servers in China. The success of this campaign highlights vulnerabilities in browser marketplace security models and the potential for widespread exploitation through trusted update mechanisms.", "modified": "2025-12-04T11:14:51.532000", "created": "2025-12-03T20:19:10.190000", "tags": [ "browser extension", "malware campaign", "spyware", "chrome", "infinity v+", "clean master", "trust exploitation", "data exfiltration", "wetab", "edge", "rce backdoor" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [ "China" ], "malware_families": [ { "id": "Clean Master", "display_name": "Clean Master", "target": null }, { "id": "Infinity V+", "display_name": "Infinity V+", "target": null }, { "id": "WeTab", "display_name": "WeTab", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1559.002", "name": "Dynamic Data Exchange", "display_name": "T1559.002 - Dynamic Data Exchange" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 31, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386471, "modified_text": "177 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69326c41d42decb549286c69", "name": "EbeeDec2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-01-04T05:04:24.496000", "created": "2025-12-05T05:23:13.601000", "tags": [ "filehashsha256", "filehashsha1", "filehashmd5", "cve20121823 cve", "cve20213156 cve", "cve20214034 cve", "cve20222588 cve" ], "references": [], "public": 1, "adversary": "APT-C-35 (DoNot), Morte Loader, FunkSec Ransomware, Albiriox, eBPF-based rootkits, Arkanix Stealer", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 145, "FileHash-SHA1": 201, "FileHash-SHA256": 191, "CVE": 9, "URL": 35, "domain": 72, "email": 2, "hostname": 26 }, "indicator_count": 681, "is_author": false, "is_subscribing": null, "subscriber_count": 40, "modified_text": "146 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69365605d86425fd196c00ef", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "", "modified": "2025-12-08T04:37:25.256000", "created": "2025-12-08T04:37:25.256000", "tags": [ "browser extension", "malware campaign", "spyware", "chrome", "infinity v+", "clean master", "trust exploitation", "data exfiltration", "wetab", "edge", "rce backdoor" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [ "China" ], "malware_families": [ { "id": "Clean Master", "display_name": "Clean Master", "target": null }, { "id": "Infinity V+", "display_name": "Infinity V+", "target": null }, { "id": "WeTab", "display_name": "WeTab", "target": null } ], "attack_ids": [ { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1559.002", "name": "Dynamic Data Exchange", "display_name": "T1559.002 - Dynamic Data Exchange" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1205", "name": "Traffic Signaling", "display_name": "T1205 - Traffic Signaling" }, { "id": "T1497.003", "name": "Time Based Evasion", "display_name": "T1497.003 - Time Based Evasion" }, { "id": "T1185", "name": "Man in the Browser", "display_name": "T1185 - Man in the Browser" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1553.005", "name": "Mark-of-the-Web Bypass", "display_name": "T1553.005 - Mark-of-the-Web Bypass" }, { "id": "T1528", "name": "Steal Application Access Token", "display_name": "T1528 - Steal Application Access Token" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1056.002", "name": "GUI Input Capture", "display_name": "T1056.002 - GUI Input Capture" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1027.003", "name": "Steganography", "display_name": "T1027.003 - Steganography" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [], "TLP": "white", "cloned_from": "69309b3e092978cc7433b4c7", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 276, "modified_text": "173 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69306b8ebef6b6cf4a4d203e", "name": "ACTIVIDAD MALICIOSA | Relacionada con ShadyPanda 03-12-2025", "description": "Una operaci\u00f3n de malware de larga duraci\u00f3n conocida como \"ShadyPanda\" ha acumulado m\u00e1s de 4.3 millones de instalaciones de extensiones de navegador Chrome y Edge aparentemente leg\u00edtimas que evolucionaron a malware", "modified": "2025-12-03T16:55:42.813000", "created": "2025-12-03T16:55:42.813000", "tags": [ "tcticas ta0001", "access ta0002", "tcnicas t1176", "t1040" ], "references": [ "https://www.virustotal.com/gui/collection/985fb4a35dd6e19dbdcef28a04c7b10a219c5e072f2ec8b22792b3dce6bf785e/iocs", "https://www.virustotal.com/graph/embed/g5cfd75f64e284f60accd4274a5816bbae070d9485411464484f12576faac4c2a?theme=light" ], "public": 1, "adversary": "ShadyPanda", "targeted_countries": [], "malware_families": [], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1040", "name": "Network Sniffing", "display_name": "T1040 - Network Sniffing" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "esoporteingenieria2020", "id": "121604", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_121604/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 5 }, "indicator_count": 10, "is_author": false, "is_subscribing": null, "subscriber_count": 266, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "693049b364a5bc5b65a08ddb", "name": "4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign | Koi Blog", "description": "", "modified": "2025-12-03T14:31:15.649000", "created": "2025-12-03T14:31:15.649000", "tags": [ "shadypanda", "master", "chrome", "edge", "microsoft edge", "wetab", "rce backdoor", "featured", "javascript", "phase", "zhang", "baidu" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 4 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "178 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692fa630c8b1d4112447ae74", "name": "IOC - 4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware Campaign", "description": "Koi researchers have identified a threat actor we're calling ShadyPanda - responsible for a seven-year browser extension campaign that has infected 4.3 million Chrome and Edge users.", "modified": "2025-12-03T02:53:36.279000", "created": "2025-12-03T02:53:36.279000", "tags": [ "chrome", "edge" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 4, "hostname": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 137, "modified_text": "179 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "692e512d2503374907819007", "name": "ShadyPanda\u2019s Hidden Malware Network Infects Over 4 Million Browsers", "description": "Back Koi researchers have uncovered a seven-year spyware campaign that has infected more than 4.3 million users of Google's Chrome and Microsoft's Edge web browsers, and is now being used by a Chinese threat actor.", "modified": "2025-12-02T02:38:37.978000", "created": "2025-12-02T02:38:37.978000", "tags": [ "shadypanda", "master", "chrome", "edge", "microsoft edge", "wetab", "rce backdoor", "featured", "javascript", "phase", "zhang", "baidu", "iocs c", "rce", "koidex" ], "references": [ "https://www.koi.ai/blog/4-million-browsers-infected-inside-shadypanda-7-year-malware-campaign" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "RCE", "display_name": "RCE", "target": null }, { "id": "Koidex", "display_name": "Koidex", "target": null } ], "attack_ids": [ { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" } ], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CODERED_VTA", "id": "349568", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_349568/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 5, "hostname": 7 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 57, "modified_text": "180 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": false, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "cleanmasters.store", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "cleanmasters.store", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1780197660.1940324 }