- DarkSpectre is linked to three browser-extension campaigns that together affected more than 8.8 million users over seven years.
- The campaigns — ShadyPanda, GhostPoster and the “Zoom Stealer” — targeted Google Chrome, Microsoft Edge and Mozilla Firefox to steal data and commit affiliate and ad fraud.
- Attackers used long-lived benign extensions, time-delayed triggers, and real-time data exfiltration to harvest meeting details and user information.
- Evidence tying the actor to China includes Alibaba Cloud Hosting, ICP registrations in Chinese provinces, Chinese-language code artifacts, and fraud aimed at Chinese e-commerce sites.
Who: Security firm Koi Security has assessed the campaign cluster as the work of a threat actor tracked as DarkSpectre. The group ran three extension campaigns that impacted browsers worldwide over more than seven years. The activity affected over 8.8 million users in total.
ShadyPanda operated across multiple browsers and hit about 5.6 million users. Operators deployed more than 100 connected extensions, including an Edge add-on that contained a time-delayed logic bomb — a short program that activates malicious behavior after a set condition. Many extensions acted as “dormant sleepers,” meaning they remain benign until malicious updates convert them.
GhostPoster focused largely on Firefox, distributing utilities and VPN tools that executed JavaScript to hijack affiliate links, inject trackers, and commit click and ad fraud. Investigators also found an Opera Google Translate extension (developer "charliesmithbons") with nearly one million installs linked to the cluster.
The third campaign, called the Zoom Stealer, used 18 extensions across Chrome, Edge and Firefox to collect meeting URLs (including embedded passwords), IDs, topics, times, registration status, participant lists and speaker details. The Malware exfiltrated data over WebSocket — a protocol for real-time, bidirectional web communication. These add-ons requested access to more than 28 conferencing platforms, such as Cisco WebEx, Google Meet, GoTo Webinar, Microsoft Teams and Zoom.
Investigators noted Chinese links including command-and-control servers on Alibaba Cloud, ICP registrations tied to provinces like Hubei, Chinese-language code artifacts, and fraud targeting platforms such as JD.com and Taobao. Researchers warned: "This isn’t consumer fraud – this is corporate espionage infrastructure." Additional visuals from the report are available (image) and related links (image) and (image).
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
