top of page
perceptive_background_267k.jpg

Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials to attacker…

Published:

22 december 2025 om 20:52:58

Alert date:

22 december 2025 om 22:01:39

Source:

socket.dev

Click to open the original link from this advisory

Socket researchers identified two malicious Chrome extensions named "Phantom Shuttle" masquerading as VPN services that have been active since 2017. The extensions use subscription models charging users $1.40-$13.50 USD while performing complete traffic interception through hardcoded proxy credentials injection. They automatically inject credentials "topfany/963852wei" into HTTP authentication challenges, route traffic through attacker-controlled proxies, and continuously exfiltrate user data to C2 server phantomshuttle[.]space. The extensions target 170+ high-value domains including developer tools, cloud services, and social media platforms. Over 2,180 users are affected, with continuous credential theft and man-in-the-middle attacks enabling comprehensive data collection including passwords, session tokens, and browsing history.

Technical details

Mitigation steps:

Affected products:

Chrome Extensions
Google Chrome

Related links:

https://socket.dev/blog/malicious-chrome-extensions-phantom-shuttle?utm_medium=feed
https://socket.dev/chrome/package/fbfldogmkadejddihifklefknmikncaj/overview/3.1.9
https://socket.dev/chrome/package/fbfldogmkadejddihifklefknmikncaj/files/3.1.9/assets/js/jquery-1.12.2.min.js
https://socket.dev/chrome/package/fbfldogmkadejddihifklefknmikncaj/files/3.1.9/scripts.js
https://socket.dev/chrome/package/fbfldogmkadejddihifklefknmikncaj/files/3.1.9/background.js
https://socket.dev/chrome/package/fbfldogmkadejddihifklefknmikncaj/files/3.1.9/777.js
https://socket.dev/blog/socket-now-protects-the-chrome-extension-ecosystem

Related CVE's:

Related threat actors:

IOC's:

phantomshuttle[.]space, 47[.]244[.]125[.]55, fbfldogmkadejddihifklefknmikncaj, ocpcmfmiidofonkbodpdhgddhlcmcofd, theknewone.com@gmail[.]com, topfany, 963852wei

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page