Start a Meeting

September 5, 2025

Extensions to Avoid in Your Browser — Lessons from Koi Security’s RedDirection Investigation

Extensions to avoid in your browser

In July 2025, a cybersecurity company called Koi Security revealed one of the most alarming browser-based threats in years.

They uncovered a coordinated spyware campaign — named RedDirection — where 18 Chrome and Edge extensions that appeared safe and useful had silently turned into surveillance tools. Combined, they reached over 2.3 million users.

But how did this happen on official browser stores?

The extensions people trusted — emoji keyboards, video speed tools, weather widgets, VPNs were behaving normally at first. But after silently receiving updates, they began:

  • Tracking every page you visited

  • Sending that data to remote servers

  • Receiving commands to redirect your browser

  • Faking pages (e.g. Zoom, banking logins) to steal your info

And since these extensions had verified badges, good reviews, and high install numbers, users had no reason to suspect anything. However, after a deeper investigation, researchers found that these weren’t isolated cases. They were part of a larger, coordinated effort: a campaign now known as RedDirection, powered by shared infrastructure, hidden code patterns, and silent updates across multiple platforms.

The 18 Extensions Involved in the RedDirection Campaign

Chrome Extensions:

  • Emoji Keyboard Online: Fun and friendly on the surface, but logged every URL you visited.

  • Free Weather Forecast: Displayed accurate forecasts while silently tracking your browsing history.

  • Video Speed Controller: Video Manager – Sped up videos as promised, but quietly sent your activity to a command server.

  • Unlock Discord (VPN Proxy): A tool to access Discord at school or work, repurposed to spy on your traffic.

  • Dark Theme: Dark Reader for Chrome – Enabled night mode, but included background surveillance code.

  • Volume Max: Ultimate Sound Booster – Boosted volume levels while leaking page visits behind the scenes.

  • Unblock TikTok: One‑Click Proxy – Opened TikTok where it’s blocked, but captured and forwarded URLs.

  • Unlock YouTube VPN Used to bypass restrictions, also used to track every site visit.

  • Color Picker, Eyedropper: Geco colorpick – Looked like a basic design tool; turned out to be the first Trojan in the campaign.

  • Weather: Generic clone with the same spying behavior, used to diversify the threat.

  • Another Weather Clone: Same function, different name, equally dangerous.

Edge Extensions:

  • Unlock TikTok: The Edge version of the TikTok proxy; same hidden tracking features.

  • Volume Booster: Increase Your Sound - Did exactly what it said, while capturing browser activity in the background.

  • Web Sound Equalizer: Marketed as a simple audio tool; quietly logged every site you opened.

  • Header Value: Technical name, technical function, used to track your online behavior.

  • Flash Player: Games Emulator – Claimed to enable flash games; actually enabled remote hijacking.

  • YouTube Unblocked: Helped you access videos, helped attackers access your data.

  • SearchGPT: ChatGPT for Search Engine – A fake AI utility used to spy on your queries and navigation.

  • Unlock Discord (Edge): The same malicious proxy as the Chrome version, just rebranded for Edge.

How to Make Sure Your Browser Is Not Affected

If you use Google Chrome or Microsoft Edge, this only takes 5 minutes — and it’s worth it.

1. Open your extensions page
- For Chrome: chrome://extensions
- For Edge: edge://extensions

2. Look through your installed extensions
- Do you see anything from the list above?
- If yes — remove it immediately

3. Then clean up your browser
- Clear your browsing history, cookies, and cache
- Run a trusted antivirus or anti-malware scan
- Change passwords for any accounts you used recently — especially banking, email, work logins
- Turn on two-factor authentication (2FA) wherever possible

6 tips to stay EXTRA SAFE from malicious browser extensions

6 tips to stay EXTRA SAFE from malicious browser extensions

6 Tips To Stay Extra Safe from Malicious Browser Extensions

  • 1. Keep your extensions list short: Only install tools you truly need. Fewer add-ons = fewer risks.

  • 2. Check what each extension can access: Be suspicious if something simple — like an emoji keyboard — asks to “read and change all your data on every site.”

  • 3. Look beyond the ratings: High install counts, good reviews, and “verified” badges can all be faked or earned before an extension turns malicious.

  • 4. Be careful after updates: If an extension suddenly asks for new permissions or behaves differently, remove it and check if it’s still trustworthy.

  • 5. Stick to known developers: If you’ve never heard of the company or developer, do a quick search before installing.

  • 6. Do regular cleanups: Set a reminder every couple of months to review and remove anything you no longer use — especially on work devices.


RedDirection is a clear example of how trust can be misused inside tools we often take for granted. Follow the practical steps above to stay EXTRA SAFE from online threats. For private communication without extensions or add-ons, use extrasafe.chat
Need a mobile app? Download now for iOS and Android