Phantom Shuttle: Fake VPN Chrome Extensions Steal Credentials from 170+ High-Value Domains

Security researchers at Socket have uncovered a long-running credential theft operation hiding in plain sight within the Chrome Web Store. Two browser extensions sharing the name "Phantom Shuttle" have been intercepting user traffic and stealing login credentials while presenting themselves as legitimate network speed testing and VPN services.

Both extensions remain available for download despite their malicious functionality. The first variant appeared in November 2017 and has accumulated approximately 2,000 installations, while a second version published in April 2023 has garnered another 180 users. Together, they represent an eight-year campaign targeting unsuspecting users who believe they're purchasing privacy-enhancing tools.

Paying for Your Own Compromise

The extensions operate through a subscription model charging between ¥9.9 and ¥95.9 CNY ($1.40 to $13.50 USD), creating the illusion of a premium VPN service. Users who pay receive "VIP status" that automatically enables the proxy functionality—unknowingly activating the very mechanism that will steal their credentials.

To maintain the deception, both variants actually perform real latency tests on proxy servers and display genuine connection status indicators. This functional facade reinforces user trust while the extensions silently intercept network traffic, inject authentication credentials, and exfiltrate sensitive data to attacker-controlled infrastructure.

The sophisticated approach demonstrates how threat actors weaponize legitimate-appearing functionality to avoid suspicion. Users experience what appears to be a working VPN service, never realizing their traffic flows through hostile proxies capturing everything they transmit.

Under the Hood: Traffic Interception and Credential Injection

When any site requests HTTP authentication—whether Basic Auth, Digest Auth, or proxy authentication—the extension intercepts the request before users see any credential prompt. It immediately responds with hardcoded proxy credentials, establishing the attacker's position between users and their intended destinations without any visible indication.

The extensions implement three proxy modes through Proxy Auto-Configuration scripts:

• Disabled mode: Extension appears inactive
• Always mode: Routes ALL traffic through attacker infrastructure
• Smarty mode: Selectively proxies traffic only to high-value targets

This selective approach reduces suspicion while maximizing credential capture from the most valuable accounts.

170+ High-Value Domains Under Surveillance

The hardcoded target list reveals the operation's strategic priorities:

Developer Platforms: GitHub, Stack Overflow, Docker—compromising these accounts could enable supply chain attacks affecting countless downstream projects.

Cloud Service Providers: Amazon Web Services, Microsoft Azure, Digital Ocean—credentials provide access to enterprise infrastructure worth far more than any subscription fee.

Enterprise Solutions: Cisco, IBM, VMware—business-focused targets rounding out the collection.

Social Media: Facebook, Instagram, Twitter—plus adult content sites suggesting potential blackmail as additional monetization vector.

The breadth of targets indicates opportunistic credential collection rather than focus on any single industry or user category.

Persistent Heartbeat Maintains Attacker Access

Beyond the man-in-the-middle position, the extensions implement continuous data exfiltration through regular communication with command-and-control infrastructure at phantomshuttle[.]space. Every 60 seconds, the extensions transmit heartbeat messages maintaining persistent connections to attacker servers.

The combination of real-time traffic interception through MitM positioning and scheduled credential exfiltration via heartbeat messages creates comprehensive data theft that continues operating for as long as the extensions remain installed.

China-Linked Operation and Enterprise Protection

Defensive Recommendations:

• Implement extension allowlisting policies restricting which browser add-ons employees can install
• Monitor for extensions combining subscription payment systems with proxy permissions—immediate investigation trigger
• Network monitoring for suspicious proxy authentication attempts