DarkSpectre Browser Extension Campaigns Exposed After Impacting 8.8 Million Users Worldwide

A Chinese threat actor dubbed "DarkSpectre" has orchestrated three malicious browser extension campaigns affecting more than 8.8 million Chrome, Edge, and Firefox users over seven years, according to research from Koi Security. The campaigns include sophisticated corporate espionage tools targeting video conferencing platforms.

The recently discovered operation combines data theft, search query hijacking, and affiliate fraud through seemingly legitimate browser extensions that activate malicious behavior after establishing user trust. This represents a significant escalation in the sophisticated types of malware targeting businesses through commonly used tools.

Comprehensive attack infrastructure reveals corporate espionage focus

Koi Security has identified three distinct campaigns operated by DarkSpectre: ShadyPanda, GhostPoster, and The Zoom Stealer. Each employs unique tactics but shares infrastructure characteristics pointing to Chinese origin.

"This isn't consumer fraud—this is corporate espionage infrastructure," said researchers Tuval Admoni and Gal Hachamov. "The Zoom Stealer represents something more targeted: systematic collection of corporate meeting intelligence."

The most recently uncovered campaign, The Zoom Stealer, consists of 18 extensions designed to harvest corporate meeting intelligence. These extensions target platforms including Google Meet, Zoom, Microsoft Teams, and Cisco WebEx, collecting meeting URLs with embedded passwords, participant lists, speaker details, and other sensitive information.

Many extensions use deceptive names like "Chrome Audio Capture," "Google Meet Auto Admit," and "ZED: Zoom Easy Downloader" to appear legitimate. Once installed, they establish WebSocket connections to exfiltrate data in real-time while providing the advertised functionality to avoid suspicion.

Particularly concerning is the extensions' overly broad access requests—seeking permissions for more than 28 video conferencing platforms regardless of whether such access aligns with their stated purpose. Organizations should implement robust cybersecurity measures to protect sensitive meeting data across all communication channels.

ShadyPanda campaign targets millions with delayed attacks

The ShadyPanda campaign has affected 5.6 million users through extensions that employ a "logic bomb" approach—waiting days before activating malicious code to bypass security reviews. One Edge extension, "New Tab – Customized Dashboard," waits three days before triggering harmful behavior.

Koi Security found nine currently active extensions in this campaign alongside 85 "dormant sleepers" that remain benign while building user trust. These sleepers can be weaponized through updates, with some remaining inactive for more than five years before turning malicious.

GhostPoster focuses on Firefox users

The GhostPoster campaign primarily targets Firefox users with utilities and VPN tools that execute malicious JavaScript. These extensions hijack affiliate links, inject tracking code, and commit click and ad fraud. Investigations revealed additional components including a Google Translate extension for Opera with nearly one million installs.

Chinese attribution based on technical evidence

Researchers attributed the campaigns to a Chinese threat actor based on several technical indicators:

• Command-and-control servers consistently hosted on Alibaba Cloud
• Internet Content Provider registrations linked to Chinese provinces including Hubei
• Code artifacts containing Chinese-language strings and comments
• Fraud schemes specifically targeting Chinese e-commerce platforms like JD.com and Taobao

How to protect yourself from malicious browser extensions

Users can take several steps to reduce their risk of falling victim to malicious browser extensions:

• Regularly audit installed extensions and remove those you no longer use
• Check permission requests carefully before installing any extension
• Research extension developers and verify their reputation
• Keep browsers updated to benefit from security patches
• Use enterprise management tools to control which extensions can be installed in corporate environments

The DarkSpectre campaigns demonstrate how threat actors leverage long-term planning and deceptive tactics to build trust before exploiting users. Many compromised extensions functioned legitimately for years before turning malicious through updates.

"DarkSpectre likely has more infrastructure in place right now—extensions that look completely legitimate because they are legitimate, for now," Koi Security warned. "They're still in the trust-building phase, accumulating users, earning badges, waiting."

For organizations that rely heavily on video conferencing, this campaign highlights the need for increased scrutiny of browser extensions with access to meeting data, particularly as remote and hybrid work environments have become standard in many industries.

Browser extension security best practices

Organizations should implement additional security measures beyond basic precautions. Consider implementing a zero-trust approach to browser extensions by creating an approved list of extensions that undergo security reviews before deployment. Regular malware scanning and removal using trusted tools should be part of your standard security protocol.

Security teams should also monitor for suspicious network traffic patterns, particularly WebSocket connections to unfamiliar domains that could indicate data exfiltration. According to a recent report by the Cybersecurity and Infrastructure Security Agency (CISA), malicious browser extensions remain one of the most overlooked security vulnerabilities in enterprise environments.

For individuals and businesses using video conferencing tools, implementing multi-factor authentication and using conference-specific passwords can provide additional layers of protection even if meeting details are compromised.