Get Started
What We Do
How We Do It
Resources
Company
Partners
Get Started
What we do
How we do it
Resources
Company
Partners
Get Started
What We Do
ESENTIRE SERVICES
Managed Detection and Response

Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
All-In-One MDR Solution →
MDR for Microsoft →
MDR for GenAI →
Digital Forensics and Incident Response

Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
Continuous Threat Exposure Management (CTEM)

CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
AI Powered platform
Atlas Security Operations Platform

Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Extended Detection and
Response (XDR)

Open XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Customer Portal

See what our SOC sees, review investigations, and see how we are protecting your business. 
Platform Integrations 

Seamless integrations and threat investigation across your existing tech stack.  
human led response
Security Operations Center (SOC)

24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Threat Response Unit (TRU)

Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Cyber Resilience Team

Extend your team capabilities and prevent business disruption with expertise from eSentire.
Response and Remediation

We balance automated blocks with rapid human-led investigations to manage threats.
How We Do
MDR Packages and 24/7 Protection
MDR Pricing and Packages

Flexible MDR pricing and packages that fit your unique security requirements.
Atlas Essentials

Entry level foundational MDR coverage
Atlas Advanced

Comprehensive Next Level MDR from eSentire
Atlas Complete

Next Level MDR with Cyber Risk Advisors to continuously advance your security program
Explore MDR Packages → Build Your MDR Package →
24/7 Coverage
Endpoint
Network
Log
Cloud
Identity
INDUSTRIES
Insurance
Construction
Finance
Legal
Manufacturing
Private Equity
Healthcare
Retail
Food Supply
Government and Education
Automotive Dealerships
USE CASES
Ransomware

Stop ransomware before it spreads.
Identity Response

Stop identity-based cyberattacks.
Zero Day Attacks

Detect and respond to zero-day exploits.
Cybersecurity Compliance

Meet regulatory compliance mandates.
Third-Party Risk

Defend third-party and supply chain risk.
Cloud Misconfiguration

End misconfigurations and policy violations.
Cyber Risk

Adopt a risk-based security approach.
Do More With Less

Prevent disruption by outsourcing MDR.
Sensitive Data Security

Protect your most sensitive data.
Cyber Insurance

Meet insurability requirements with MDR.
Cyber Threat Intelligence

Operationalize cyber threat intelligence.
Security Leadership

Build a proven security program.
Resources
VIEW ARTICLES
Resources
Case Studies
Compare MDR Vendors
TRU Intelligence Center
Cybersecurity Tools
Videos
Reports
Webinars
Data Sheets
Real vs. Fake MDR
Blogs
Security Advisories
EXPLORE LIBRARY
SECURITY ADVISORIES
Aug 26, 2025
CVE-2025-7775 NetScaler ADC and Gateway Zero-Day

THE THREATA critical security advisory has been issued for NetScaler ADC and Gateway systems, highlighting three significant vulnerabilities (CVE-2025-7775, CVE-2025-7776, and…

 Aug 14, 2025
Exploit Released for Critical FortiSIEM Vulnerability (CVE-2025-25256)

THE THREATOn August 12th, Fortinet disclosed a critical vulnerability impacting multiple versions of Fortinet FortiSIEM. The flaw, CVE-2025-25256 (CVSS: 9.8), is a remote unauthenticated…
View Advisories
Company
ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us
Leadership
Careers
Event Calendar
Newsroom
Aston Villa Football Club
EVENT CALENDAR
Aug
28
INTERFACE Boise
Sep
09
September TRU Intelligence Briefing
Sep
15
TribalNet Annual Conference
Sep
17
Future Tech Strategy Forum
Sep
18
INTERFACE Salt Lake City
View Calendar
LATEST PRESS RELEASE
Aug 12, 2025
eSentire’s Dustin Hillard Recognized on Channel Insider's 2025 AI Leaders List
Read More
View Newsroom
OUR PARTNERSHIPS
Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More
Partners
PARTNER PROGRAM

Apply to become an e3 ecosystem partner with eSentire today.
APPLY NOW

Login to the Partner Portal for resources and content for current partners.
LOGIN NOW
Search

Search our site

Quick Links

ALL-IN-ONE MDR SERVICE

Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC SUPPORT

24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
MDR PRICING AND PACKAGES

We offer three flexible MDR pricing packages that can be customized to your unique needs.
TRU INTELLIGENCE CENTER

The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
MDR VENDOR COMPARISONS

Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
MDR CASE STUDIES

See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
Get Started
Get Started
Build A Quote
Become A Partner
Security advisories

RedDirection Browser Extension Campaign

July 10, 2025 | 4 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On July 8th, 2025, Koi Security disclosed an extensive campaign dubbed RedDirection, involving 18 cross-platform browser extensions available on Google Chrome and Microsoft Edge markets. These malicious browser extensions can hijack browsers and have reportedly impacted 2.3 million users across Google Chrome and Microsoft Edge.

This campaign is particularly notable because several of the extensions involved have long masqueraded as legitimate, carrying a “verified” status assigned by the browsers. A malicious update to these extensions triggered the hijacking operation. Such campaigns pose a severe threat to organizations as these extensions may enable attackers carry out Man-in-the-Middle (MitM) attacks, leading to data theft or the deployment of malware.

Organizations are strongly encouraged to identify any potentially malicious extensions, and ensure they are removed.

What we’re doing about it

What you should do about it

Additional information

Koi Security’s investigation into the browser extension “Color Picker, Eyedropper — Geco colorpick” led to the discovery of the RedDirection campaign. This extension was a legitimate tool for several years, before a malicious update was deployed. Post update, the extension continued to function as a color picker while simultaneously engaging in browser hijacking. The RedDirection campaign was found to involve 18 similar browser extensions targeting both Google Chrome and Microsoft Edge.

The browser extensions in the campaign masquerade as popular productivity and entertainment tools across a broad range of categories, including emoji keyboards, weather forecast widgets, video speed controllers, VPN proxies for Discord and TikTok, dark mode themes, volume boosters, and YouTube unblockers. Several of these extensions were marked as “verified” on both the Chrome Web Store and Microsoft Edge Add-ons, which helped them evade suspicion and gain user trust.

The browser hijacking mechanism embedded within the extensions is triggered each time a webpage is navigated. All open tabs are monitored, and the URLs are captured and sent to a remote Command-and-Control (C2) server along with a unique tracking ID. Upon receiving a redirect URL from the C2, the browser is automatically redirected to the specified destination.

The RedDirection campaign exploits the extension update mechanisms of Google Chrome and Microsoft Edge to stealthily inject malicious behavior into long-standing, previously legitimate extensions. This tactic enabled attackers to carry out a large-scale supply chain attack, leveraging weaknesses in browser extension stores and the inherent trust users place in “verified” extensions.

The known malicious plugins are now confirmed to be removed from the Chrome Web Store and Edge Add-ons.

While browser extensions can simplify many critical daily tasks and address a variety of user needs, it is essential to understand the risks associated with using third-party tools. Organizations are recommended to educate employees about the risks associated with third-party tools such browser extensions and encourage them to report suspicious behavior.

Indicators of Compromise (IOCs) Shared by Koi Security
admitab[.]com Domain
edmitab[.]com Domain
click.videocontrolls[.]com Domain
c.undiscord[.]com Domain
click.darktheme[.]net Domain
c.jermikro[.]com Domain
c.untwitter[.]com Domain
c.unyoutube[.]net Domain
admitclick[.]net Domain
addmitad[.]com Domain
admiitad[.]com Domain
abmitab[.]com Domain
admitlink[.]net Domain
kgmeffmlnkfnjpgmdndccklfigfhajen — [Emoji keyboard online — copy&past your emoji.] Chrome Extension & Extension ID
dpdibkjjgbaadnnjhkmmnenkmbnhpobj — [Free Weather Forecast] Chrome Extension & Extension ID
gaiceihehajjahakcglkhmdbbdclbnlf — [Video Speed Controller — Video manager] Chrome Extension & Extension ID
mlgbkfnjdmaoldgagamcnommbbnhfnhf — [Unlock Discord — VPN Proxy to Unblock Discord Anywhere] Chrome Extension & Extension ID
eckokfcjbjbgjifpcbdmengnabecdakp — [Dark Theme — Dark Reader for Chrome] Chrome Extension & Extension ID
mgbhdehiapbjamfgekfpebmhmnmcmemg — [Volume Max — Ultimate Sound Booster] Chrome Extension & Extension ID
cbajickflblmpjodnjoldpiicfmecmif — [Unblock TikTok — Seamless Access with One-Click Proxy] Chrome Extension & Extension ID
pdbfcnhlobhoahcamoefbfodpmklgmjm — [Unlock YouTube VPN] Chrome Extension & Extension ID
eokjikchkppnkdipbiggnmlkahcdkikp — [Color Picker, Eyedropper — Geco colorpick] Chrome Extension & Extension ID
ihbiedpeaicgipncdnnkikeehnjiddck — [Weather] Chrome Extension & Extension ID
jjdajogomggcjifnjgkpghcijgkbcjdi — [Unlock TikTok] Edge Extension & Extension ID
mmcnmppeeghenglmidpmjkaiamcacmgm — [Volume Booster — Increase your sound] Edge Extension & Extension ID
ojdkklpgpacpicaobnhankbalkkgaafp — [Web Sound Equalizer] Edge Extension & Extension ID
lodeighbngipjjedfelnboplhgediclp — [Header Value] Edge Extension & Extension ID
hkjagicdaogfgdifaklcgajmgefjllmd — [Flash Player — games emulator] Edge Extension & Extension ID
gflkbgebojohihfnnplhbdakoipdbpdm — [Youtube Unblocked] Edge Extension & Extension ID
kpilmncnoafddjpnbhepaiilgkdcieaf — [SearchGPT — ChatGPT for Search Engine] Edge Extension & Extension ID
caibdnkmpnjhjdfnomfhijhmebigcelo— [Unlock Discord] Edge Extension & Extension ID

References:

[1] https://blog.koi.security/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5

View Most Recent Advisories
ARE YOU EXPERIENCING A SECURITY INCIDENT OR HAVE YOU BEEN BREACHED?
Call 1-866-579-2200

The Proven Choice for
Managed Detection and Response

GET STARTED PARTNER LOGIN

Sales and
Customer Support

NORTH AMERICA 1-866-579-2200 EMEA (0)8000-443242 ANZ/APAC 1-519-651-2200
What we do
How we do it
Industries
Use Cases
Resources
Tools
Company

2025 eSentire, Inc. All Rights Reserved.