Daily Briefing for 12.02.25

Top stories.

• Malicious browser extensions waited years before infecting users.
• New Android malware-as-a-service operation surfaces.
• MuddyWater campaign targets Israel and Egypt.

Malicious browser extensions waited years before infecting users.

Researchers at Koi warn that a threat actor dubbed "ShadyPanda" conducted a seven-year-long browser extension campaign that infected 4.3 million Chrome and Edge users. The extensions operated for years as legitimate tools, building trustworthy reputations and large user bases, before receiving malicious updates in mid-2024. Koi states, "These extensions now run hourly remote code execution - downloading and executing arbitrary JavaScript with full browser access. They monitor every website visit, exfiltrate encrypted browsing history, and collect complete browser fingerprints."

The apps have since been removed from the app stores, but Koi warns that previously infected browsers may still be compromised.

New Android malware-as-a-service operation surfaces.

Cleafy has published a report on a new strain of Android malware dubbed "Albiriox" that targets users of more than 400 banking and cryptocurrency applications. Albiriox surfaced in September 2025, and transitioned to a public malware-as-a-service operation in October. The malware is delivered via social engineering attacks that trick users into installing malicious apps.

The researchers note, "Albiriox combines two core attack vectors: a VNC-based Remote Access module for real-time device control, and an Overlay Attack mechanism for credential harvesting. While the remote control functionality is fully operational, the overlay component is under active development, with generic templates currently in place rather than application-specific phishing pages."

MuddyWater campaign targets Israel and Egypt.

ESET is tracking a new campaign by the Iranian threat actor MuddyWater targeting critical infrastructure entities in Israel and Egypt. The researchers note, "MuddyWater operators continue to rely on predictable and script-based backdoors written in PowerShell and Go. Their targeting remains focused on the telecommunications, governmental, and oil and energy sectors. Initial access is typically achieved through spearphishing emails, often containing PDF attachments that link to installers for RMM software hosted on free file-sharing platforms such as OneHub, Egnyte, or Mega. These links lead to the download of RMM tools, including Atera, Level, PDQ, and SimpleHelp."

Notably, the researchers observed one instance in which MuddyWater compromised an entity in Israel's manufacturing sector, and the entity was then infected by malware attributed to OilRig, a separate Iranian threat actor. ESET says this "suggests that MuddyWater may be acting as an initial access broker for other Iran-aligned groups."