RedDirection Campaign: 2.3 Million Users Hit by Malicious Chrome & Edge Extensions
At first glance, it appeared to be a typical browser extension — a sleek interface, a simple and intuitive color-picking function, high user ratings, and hundreds of glowing reviews. Yet behind this seemingly benign facade lurked a meticulously crafted trojan, designed to embed covert surveillance mechanisms within users’ browsers. Analysts at Koi Security uncovered that the widely popular extension Color Picker, Eyedropper — Geco colorpick, listed in both the Chrome and Edge extension stores, was in fact part of a large-scale malicious campaign known as RedDirection.
The Geco colorpick extension was downloaded by over 100,000 users. It boasted a stellar reputation — a 4.2-star rating, more than 800 reviews, a “Recommended” label in the Chrome Web Store, and similar accolades on the Microsoft Edge Add-ons platform. But instead of merely fulfilling its advertised purpose, the plugin granted attackers access to user activity, transmitted data to a remote server, and could redirect web traffic upon receiving external commands.
The tool did, in fact, perform its stated function — allowing users to identify and copy any color on a webpage. For designers, developers, and illustrators, this feature was genuinely useful. However, this functionality served only as a smokescreen for a far more insidious agenda.
Color Picker was not alone. Researchers identified 18 similar extensions for Chrome and Edge exhibiting comparable covert behavior. The total number of infected browsers surpassed 2.3 million, marking one of the largest such campaigns ever documented.
According to Koi Security analyst Idan Dardikman, RedDirection was anything but amateur. It represented a sophisticated, multi-stage operation. Initially, the extensions operated flawlessly, raising no suspicion. Only after several update cycles did the malicious code begin to emerge. Leveraging the auto-update mechanisms of Chrome and Edge, the altered versions were installed silently — without the user’s awareness or consent.
Thus, without phishing emails or suspicious attachments, without deception or trickery, millions of users became unwitting victims. The embedded module collected data on visited sites, recorded unique identifiers, and transmitted them to servers under the attackers’ control. Additionally, the malware could silently open websites in the background — completely bypassing user intent. This feature enabled click fraud, page spoofing, and delivery of further malicious content.
And the campaign extended far beyond color selection. The roster of compromised extensions included tools for weather forecasting, video speed control, VPN-based censorship circumvention, volume boosting, emoji insertion, and even ChatGPT integration. All functioned as promised — which is precisely why they evaded early detection.
Extensions involved in RedDirection include:
Chrome:
- Emoji keyboard online — copy & paste your emoji
- Free Weather Forecast
- Video Speed Controller — Video Manager
- Unlock Discord — VPN Proxy
- Dark Theme — Dark Reader for Chrome
- Volume Max — Ultimate Sound Booster
- Unblock TikTok — Seamless Access
- Unlock YouTube VPN
- Color Picker, Eyedropper — Geco colorpick
- Weather
Edge:
- Unlock TikTok
- Volume Booster — Increase Your Sound
- Web Sound Equalizer
- Header Value
- Flash Player — Games Emulator
- YouTube Unblocked
- SearchGPT — ChatGPT for Search Engine
- Unlock Discord
Dardikman notes that RedDirection’s success largely stemmed from its use of trusted, pre-installed extensions as its delivery vector. Some even bore the “Verified” badge — an automatic trust marker awarded by Google based on popularity metrics. As of now, neither Google nor Microsoft has issued an official statement, and many of the listed modules remain publicly available.
Koi Security urgently recommends immediate removal of these extensions, manual clearing of browser caches, cookies, and local storage, and heightened monitoring of online accounts. Some components of the malware may persist even after uninstallation, meaning that removal alone may not ensure safety.
Until extension stores begin rigorously vetting each version of every plugin — including updates — such attacks will inevitably recur. Any familiar tool can become a Trojan horse. The threat of malicious extensions is no longer an isolated issue — it has become a systemic risk.
