- 873
- 241
Researchers at Koi Security have revealed a large-scale campaign using browser extensions, which they believe is the work of a Chinese cybercriminal group. The new operation, dubbed DarkSpectre, has affected approximately 2.2 million users of Chrome, Edge, and Firefox.
If earlier campaigns by the same group— ShadyPanda and GhostPoster —are included, the total number of victims exceeds 8.8 million over the past seven years.
Koi previously linked DarkSpectre to ShadyPanda, a series of extensions disguised as useful tools and engaged in data theft, search query manipulation, and fraud. Back then, the attackers targeted 5.6 million users, including over 100 extensions, some of which only became active years after their publication.
One such Edge extension, for example, only activated its hidden logic three days after installation—apparently to safely pass app store moderation. Researchers also discovered dozens of so-called "sleeping" add-ons: while they currently appear harmless, gaining audiences and positive reviews, they could gain dangerous features with the next update.
The second campaign, GhostPoster, primarily targeted Firefox users. Disguised as utilities and VPN extensions, they injected JavaScript code to spoof affiliate links, track users, and engage in advertising fraud. Among the findings was even a Google Translate extension for Opera, which has accumulated nearly a million installs.
The most recent and perhaps most disturbing part of the story is the so-called Zoom Stealer. This is a collection of 18 extensions for Chrome, Edge, and Firefox, disguised as tools for Zoom, Google Meet, and GoToWebinar. Their purpose is to collect corporate information: meeting links (including passwords), conference IDs, topics, descriptions, schedules, and registration status. The data is transmitted in real time via WebSocket connections.
And the collection doesn't stop there. Extensions extract information about speakers and webinar organizers—names, positions, biographies, photos, company names, logos, and promotional materials. This happens every time a user simply visits the event registration page.
According to researchers, these extensions request access to 28 video conferencing platforms at once, including Zoom, Microsoft Teams, Cisco WebEx, and Google Meet—even when the extension doesn't need such access.
[td]"This isn't consumer fraud, but a corporate espionage infrastructure," Koi Security specialists emphasize. "Users actually received the promised functionality, trusted the extensions, and rated them highly. And the surveillance was silent and undetected."[/td]The collected data could be used for espionage, complex social engineering schemes, and large-scale identity spoofing operations. Researchers confirm the campaigns' connection to China with several indicators: the use of Alibaba Cloud servers, registrations in Chinese provinces, code fragments with Chinese comments, and scams targeting JD.com and Taobao.
Koi Security believes this is far from the end of the story. They say DarkSpectre may already have new extensions that appear completely legitimate—they are "building trust" and simply biding their time.
If earlier campaigns by the same group— ShadyPanda and GhostPoster —are included, the total number of victims exceeds 8.8 million over the past seven years.
Koi previously linked DarkSpectre to ShadyPanda, a series of extensions disguised as useful tools and engaged in data theft, search query manipulation, and fraud. Back then, the attackers targeted 5.6 million users, including over 100 extensions, some of which only became active years after their publication.
One such Edge extension, for example, only activated its hidden logic three days after installation—apparently to safely pass app store moderation. Researchers also discovered dozens of so-called "sleeping" add-ons: while they currently appear harmless, gaining audiences and positive reviews, they could gain dangerous features with the next update.
The second campaign, GhostPoster, primarily targeted Firefox users. Disguised as utilities and VPN extensions, they injected JavaScript code to spoof affiliate links, track users, and engage in advertising fraud. Among the findings was even a Google Translate extension for Opera, which has accumulated nearly a million installs.
The most recent and perhaps most disturbing part of the story is the so-called Zoom Stealer. This is a collection of 18 extensions for Chrome, Edge, and Firefox, disguised as tools for Zoom, Google Meet, and GoToWebinar. Their purpose is to collect corporate information: meeting links (including passwords), conference IDs, topics, descriptions, schedules, and registration status. The data is transmitted in real time via WebSocket connections.
And the collection doesn't stop there. Extensions extract information about speakers and webinar organizers—names, positions, biographies, photos, company names, logos, and promotional materials. This happens every time a user simply visits the event registration page.
According to researchers, these extensions request access to 28 video conferencing platforms at once, including Zoom, Microsoft Teams, Cisco WebEx, and Google Meet—even when the extension doesn't need such access.
Koi Security believes this is far from the end of the story. They say DarkSpectre may already have new extensions that appear completely legitimate—they are "building trust" and simply biding their time.