Cyberattack on Chrome and Edge browsers: what happened and why it's relevant to companies

In recent days, various specialized media have warned about a cyberattack on Chrome and Edge browsers based on the distribution of malicious extensions through official channels. Far from being a one-off incident, the investigation points to a cyberespionage campaign sustained over time, with a direct impact on corporate environments and on business IT security.

The case is especially relevant because it does not exploit classic technical vulnerabilities, but trust in the browser ecosystem, an attack vector present in virtually every organization.

‍

What is known about the cyberattack?

According to information recently published by several researchers and media in the sector, they have been identified apparently legitimate extensions distributed for years in the official Google Chrome and Microsoft Edge repositories.

These extensions:

• They offered real and useful features.
• They passed the initial review controls
• They accumulated millions of installations
• They progressively activated malicious behavior

The objective was not to generate immediate impact, but maintain persistent access to user navigation, allowing the collection of information, manipulation of web content and indirect access to corporate environments.

Investigations attribute this activity to Shadypanda, a cyberespionage campaign documented for years and associated with APT actors with advanced capabilities.

‍

What is Shadypanda and why does it matter in this context

It is important to clarify that Shadypanda is not a specific group, but a campaign What does it encompass multiple cyberespionage operations with common technical and strategic patterns.

Shadypanda is characterized by:

• Long-term operations
• Low profile and minimal alert generation
• Use of legitimate software as an attack vector
• Abuse of digital supply chains
• Focus on persistence and information collection

These types of campaigns do not seek to interrupt services or deploy ransomware. Its objective is remain invisible for as long as possible, which is especially dangerous in business environments where the browser acts as an access point to critical systems.

‍

Why browsers have become a priority target

In most organizations, the browser is now a central work platform, not a simple internet access tool.

From the browser you can access:

• Corporate applications in the cloud
• Email and collaborative tools
• Financial Platforms, CRMs and ERPs
• Internal Systems and Critical Services

When an extension obtains elevated permissions, inherits the trust context of the corporate user. This allows a computer attack to occur without exploiting complex technical vulnerabilities, simply abusing legitimate access.

From the point of view of business IT security, the browser thus becomes a direct extension of the corporate perimeter.

‍

How do these types of extension-based attacks occur

This cyberattack responds to an increasingly common pattern in advanced campaigns:

1. Legitimate initial distribution
   Functional extensions aligned with real user needs.
2. Building trust
   Long time without suspicious behavior and mass adoption.
3. Progressive introduction of malicious code
   Through updates or remote activation of hidden features.
4. Silent exploitation
   Access to authenticated sessions, data exfiltration and traffic manipulation.

This approach is difficult to detect because does not generate obvious security events and is often beyond the reach of traditional controls.

‍

Real risks for companies and organizations

The impact of these types of security breaches goes beyond the individual browser:

• Theft of corporate credentials
• Persistent access to cloud applications
• Exposure of sensitive information
• Regulatory breaches (ENS, ISO 27001, NIS2)
• Difficulty determining the true extent of the incident

In many cases, when the malicious extension is identified, the attacker has already operated for months or years.

‍

What measures effectively reduce this risk

Organizations with greater cybersecurity maturity tend to apply specific controls over browser use:

• Centralized inventory of extensions
• Restrictive installation and permission policies
• Blocking unauthorized extensions
• Monitoring for abnormal behavior
• Specific browser risk awareness

These measures are especially critical in sectors with critical infrastructures, sensitive information or operational dependence on the digital environment.

‍

The browser as part of the business attack surface

El cyberattack on Chrome and Edge browsers, linked to the Shadypanda campaign, reinforces a reality that many organizations have not yet accepted:
the browser is part of the real business attack surface.

Not managing it as a critical asset implies accepting unnecessary risks, especially in the face of advanced campaigns that prioritize persistence over visible impact.

‍

How Apollo Cybersecurity Can Help

At Apolo Cybersecurity, we help organizations to identify attack vectors that often go unnoticed, such as those associated with browsers and extensions.

Our services include:

• Risk assessment in browsers and endpoints
• Audits aligned with ENS, ISO 27001 and NIS2
• Defining safe browser use policies
• Early detection of anomalous accesses
• Business-oriented preventive approach

If you want to know What level of exposure does your organization have to attacks like this and how to realistically reduce it, we can help you evaluate it before it becomes an incident.‍

Contact Apolo Cybersecurity and let's approach cybersecurity from a strategic and preventive perspective.