Malicious Chrome and Edge extensions that once looked harmless have quietly turned into a sprawling spyware operation, compromising more than 4 million devices and turning everyday browsing into a data-harvesting pipeline. What began as simple add-ons for emojis, wallpapers, or productivity tweaks has evolved into a long running campaign that abuses user trust in browser marketplaces. The result is a wake up call for anyone who treats extensions as low risk utilities rather than powerful software with deep access to personal data.
Researchers now describe a layered operation in which “sleeper” extensions stayed quiet for months, then activated tracking code through later updates and remote commands. The campaign has swept up users who installed tools on both Chrome and Edge, often from what appeared to be legitimate listings, and it has exposed how fragile the browser extension ecosystem really is when attackers are willing to play a long game.
How a seven year campaign hijacked everyday browsing
The scale of the operation is staggering because it did not rely on a single rogue add on but on a coordinated set of extensions that evolved over time. Security researchers have tied the activity to a seven year malicious browser extension campaign that infected 4.3 m users of Google Chrome and Microsoft Edge, turning routine web sessions into opportunities for surveillance and fraud. The attackers did not need to break into operating systems or exploit exotic vulnerabilities, they simply rode on the permissions users willingly granted to extensions that looked useful or fun.
According to the Koi researchers who dissected the operation, one of the early stages involved a tool called Clean Master, which helped pave the way for a later 4 million user spyware phase that leaned heavily on browser extensions. Over time, the attackers refined their approach, shifting from obvious adware to stealthier data collection that blended into normal browsing behavior. By the time the campaign reached its current scale, the malicious code was embedded in tools that many people had been using for months or years without suspecting anything was wrong.
“Sleeper” extensions that turned into live spyware
The most unsettling twist in this story is that many of the extensions did not start out overtly malicious. Researchers documented so called “Sleeper” browser extensions that behaved normally at first, then received updates that activated spyware functions on 4 million devices. These add ons had already earned user ratings and a sense of legitimacy, which meant the switch to spying code happened after people had stopped paying close attention to what the extension was doing.
The pattern fits a broader trend that Koi Security has highlighted, where Legitimate Extensions Turned Malicious in Later Updates once attackers gained control of the developer accounts or codebase. In practice, that means an extension that once simply changed your new tab page or added a shortcut can suddenly start logging search queries, capturing browsing histories, or exfiltrating other data in real time. The trust users place in updates, which usually fix bugs or add features, becomes a weapon when the update channel itself is compromised.
From emoji keyboards to “Unlock TikTok”: the lure of fake utility
The campaign has been so effective because the malicious extensions were wrapped in familiar, low friction use cases that appeal to a broad audience. Security guidance now explicitly warns users to Check their browsers for names like Emoji keyboard online on Chrome or Free Wea themed tools that promise quick weather updates, along with Unlock Discord on Edge. These labels are designed to sound like the kind of lightweight add ons people install without a second thought, especially when they are trying to customize a new browser or replicate features they see on social media.
Earlier over the summer, Koi described how the extensions in question masquerade as popular productivity and entertainment tools across diverse categories, from emoji packs to video helpers, spread across both major browser marketplaces. On Microsoft Edge, specific entries such as Unlock TikTok and Volume Boost appear in lists of extensions that users are being urged to remove, with identifiers like jjdajogomggcjifnjgkpghcijgkbcjdi for Unlock TikTok and other IDs tied to Volume Boost and Unlock Discord in the same family of threats. The attackers are betting that the promise of a louder YouTube tab or an easier way to access TikTok will outweigh any hesitation about granting broad permissions.
4.3 m victims on Chrome and Edge
What turns this from a niche security story into a mainstream privacy crisis is the sheer number of people affected. Reporting now indicates that 4.3 m users have installed at least one of the malicious browser extensions on Chrome and Edge, often thinking they were getting simple wallpapers or productivity improvements. A parallel account notes that the same 4.3 m figure applies across both Chrome and Edge, underscoring that this is not a single platform’s problem but a shared ecosystem failure.
Those numbers sit alongside the 4 million devices tied to the Sleeper spyware phase, suggesting that the campaign has reached deep into the everyday browsing habits of people who may never have installed traditional malware. Because the extensions often marketed themselves as tools for Chrome and Edge users who wanted small conveniences, the victims include office workers, students, and families who simply clicked “Add to browser” on a trusted marketplace page. The line between a normal customization and a full scale compromise has rarely been this thin.
How the extensions actually spy on you
Behind the friendly icons and upbeat descriptions, the malicious extensions behave like classic spyware once activated. Researchers have documented how the Sleeper browser extensions, after lying dormant, woke up as spyware on 4 million devices, capturing browsing activity and other data in real time. Because extensions sit inside the browser, they can see search terms, URLs, and sometimes the content of pages, especially when users grant permissions like “read and change all your data on the websites you visit.”
Koi Security researchers have also explained How hackers are hiding malware in popular Chrome extensions, often by embedding dormant code that only activates after a delay or in response to remote configuration changes. That approach helps the extensions pass initial reviews and avoid raising immediate red flags with users or automated scanners. Once live, the spyware can redirect search traffic, inject ads, or siphon off data that can be monetized or used for further attacks, all while the extension continues to deliver the basic emoji or utility feature that persuaded people to install it in the first place.
Why Chrome and Edge stores did not catch it sooner
The fact that these extensions were available through official marketplaces for Chrome and Edge raises hard questions about vetting and oversight. Earlier security analysis of malicious Chrome and Edge extensions noted that How to remove the malware is complicated by the reality that, at the time of writing, most AV engines do not detect the installers and the extensions have not yet been removed by Google or Microsoft from their respective stores. That gap between discovery and removal gives attackers a window to rack up more installs and to pivot to new identities when old ones are finally taken down.
Part of the problem is structural. Browser stores are designed to scale to millions of listings, which means automated checks and limited manual review. When attackers use tactics like Later Updates to flip Legitimate Extensions Turned Malicious, the initial approval process is no longer enough. The Koi researchers’ findings about Clean Master feeding into a 4 million user spyware phase show how a determined group can work within the rules of the ecosystem, then quietly subvert them over time. Until the stores treat extension updates with the same suspicion as new submissions, the door remains open for similar campaigns.
The social engineering layer: fake sites and “Search” bars
Technical tricks are only half the story. The attackers also invested in social engineering that steers users toward the malicious extensions in the first place. Reporting now details how Attackers are using fake websites disguised as portals to download popular software like Roblox FPS Unlocker, YouTube tools, or VLC, then pushing rogue Google Chrome and Microsoft Edge extensions as part of the process. A parent searching for Roblox FPS Unlocker to improve a child’s game performance might land on one of these sites and be nudged into installing a browser add on that looks like a required helper.
Once inside the browser, the malicious Chrome extensions often lean on generic branding that blends into the background. Security researchers have pointed out that the malicious Chrome extensions usually have “Search” in their name, with examples like Custom Search Bar and Your Search Bar that sound like harmless tweaks to the default search experience. By the time users notice that their searches are being redirected or that extra ads are appearing, the extension may already have harvested a significant amount of data.
Why this campaign is different from past adware waves
Browser based threats are not new, but several aspects of this campaign set it apart from the noisy adware waves of the past. The long timeline, stretching across seven years, and the use of Sleeper behavior show a level of patience that is more typical of advanced espionage operations than of quick hit malware. The attackers did not simply flood the stores with junk; they cultivated extensions that could survive scrutiny, gather positive reviews, and then quietly pivot into spyware once they had a large enough installed base.
Another difference is the way the campaign spans both consumer and quasi enterprise contexts. Because Chrome and Edge are standard in workplaces and schools, an extension installed at home can follow a user onto corporate networks or shared devices. The fact that Koi Security and other researchers had to trace Legitimate Extensions Turned Malicious in Later Updates underscores how traditional security advice, like “only install from official stores,” is no longer sufficient on its own. Users and administrators now have to think about extension hygiene in the same way they think about mobile app permissions or operating system updates.
What I would do now if I used Chrome or Edge
Faced with this kind of campaign, the most practical response is to treat every extension as a potential risk until proven otherwise. If I were using Chrome or Edge today, I would start by opening the extensions page and manually reviewing each entry, looking for anything that mentions Emoji, Free Wea style weather tools, Unlock TikTok, Volume Boost, or Unlock Discord, as well as generic Search bars like Custom Search Bar and Your Search Bar. Any extension whose purpose I could not clearly explain, or that I did not remember installing, would be removed on the spot.
From there, I would cross check my list against the guidance that urges users to delete specific Chrome and Edge extensions, including the Microsoft Edge entries like Unlock TikTok and Volume Boost that have been tied to the same threat cluster. I would also follow the removal steps that explain How to remove the malware and malicious extensions, including resetting browser settings and scanning for leftover components, even if most AV engines are still catching up. Finally, I would make a habit of limiting new installs to extensions that are absolutely necessary, checking their permissions carefully, and revisiting the list every few months so that no Sleeper has a chance to wake up unnoticed.
More from MorningOverview