Koi Security recently published a report on ShadyPanda, which launched a seven-year-long campaign said to have affected the browsers of 4.3 million Chrome and Edge users to date. How has the campaign lasted so long? Some of the actors’ extensions were featured and verified by Google, resulting in instant trust and massive distribution. Over time, they weaponized browser marketplaces by building trust, accumulating users, and pushing malicious silent updates.

Koi identified seven IoCs comprising four domains and three subdomains. After extracting unique domains from the subdomains, we accumulated six domains and three subdomains for further analysis. Note that we queried the six domains on the WhoisXML API MCP Server and discovered that none of them were legitimate, making them worthy of further analysis.

Our in-depth investigation led to these discoveries:

• 105 unique client IP addresses communicated with four domains identified as IoCs
• 735 email-connected domains, one turned out to be malicious
• Seven IP addresses, six turned out to be malicious
• 18 IP-connected domains
• 76 string-connected domains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

The Hunt for More Information on the ShadyPanda IoCs

First, sample network traffic data from the IASC based on a total of 823 DNS queries showed that 105 unique client IP addresses under nine distinct ASNs communicated with four domains identified as IoCs between 11 November and 10 December 2025.

We then queried the six domains identified as IoCs on WHOIS API and discovered that:

• They were registered between 15 March 2010 and 7 September 2023. Two domains each were registered in 2022 and 2023 while one each were registered in 2010 and 2021.

  

• They were administered by three registrars—four by GoDaddy and one each by Danesco Trading and West263 International.

  

• They were registered in three countries topped by the U.S., which accounted for four domains. One domain each, meanwhile, was registered in China and Cyprus.

  

A DNS Chronicle API query for the six domains identified as IoCs showed that all of them had 661 historical domain-to-IP resolutions over time. The domain gotocdn[.]com posted the earliest resolution date—26 May 2017. Take a look at more details for three examples below.

Next, we sought to uncover more insights regarding the three subdomains identified as IoCs and found out that:

• At first glance, api[.]cgatgpt[.]net could be typosquatting on ChatGPT’s popularity given that it contains a misspelled variant of the AI tool’s domain name. Jake AI revealed that it is relatively newly registered and privately registered. It was also set to expire within three years.

  

• While the root domain of s-82923[.]gotocdn[.]com and s-85283[.]gotocdn[.]com has been around for some time, it is privately registered. The two subdomains are now inactive.

  

  

The Search for New ShadyPanda Artifacts

We began our search for new artifacts by querying the six domains identified as IoCs on WHOIS History API and discovered that three had email addresses in their historical WHOIS records. They had seven unique email addresses, in fact, and two were public addresses.

While the results of our Reverse WHOIS API query for the two public email addresses revealed that none appeared in current WHOIS records, both did show up in historical records. This step led to the discovery of 735 email-connected domains after those already identified as IoCs were filtered out.

A Threat Intelligence API query for the 735 email-connected domains showed that one has already been weaponized for phishing between 17 July and 2 December 2025 and generic threats between 18 July and 20 September 2025.

Next, we queried the six domains identified as IoCs on DNS Lookup API and found out that four had active IP resolutions. They resolved to seven unique IP addresses, in fact.

A Threat Intelligence API query for the seven IP addresses revealed that six have already figured in malicious campaigns. Take a look at more details for three examples below.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.