Cybersecurity researchers have uncovered a large-scale malicious browser extension operation that has affected more than 8.8 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox over a period exceeding seven years. The activity has been linked to a Chinese threat actor tracked by Koi Security under the name DarkSpectre.
The investigation connects two previously identified malicious campaigns, ShadyPanda and GhostPoster, to a third operation now referred to as DarkSpectre, which alone impacted approximately 2.2 million users. Together, these campaigns demonstrate a long-running and carefully coordinated effort to exploit browser extension ecosystems.
ShadyPanda and GhostPoster Campaigns
ShadyPanda was recently exposed as a cross-browser threat that enabled data theft, search hijacking, and affiliate fraud. According to researchers, the campaign affected around 5.6 million users, including 1.3 million newly identified victims linked to more than 100 browser extensions associated with the same infrastructure.
One notable example is an Edge extension titled “New Tab – Customized Dashboard”, which contained a logic bomb designed to activate malicious behavior only after three days. This delayed execution was intended to bypass security reviews by appearing harmless during the approval phase.
While nine of these extensions remain active, investigators also identified 85 dormant extensions described as “sleepers.” These add-ons initially function as legitimate tools to gain user trust before being weaponized through later updates, in some cases after remaining benign for over five years.
The GhostPoster campaign primarily targeted Firefox users by distributing seemingly useful utilities and VPN-related extensions. These tools delivered malicious JavaScript payloads capable of hijacking affiliate links, injecting tracking mechanisms, and conducting click and advertising fraud. Further analysis also revealed additional browser extensions, including an Opera add-on posing as Google Translate, which amassed close to one million installations.
The Zoom Stealer Campaign
The most recent campaign attributed to DarkSpectre is known as The Zoom Stealer. This operation used 18 browser extensions across Chrome, Edge, and Firefox to collect sensitive meeting-related intelligence. The stolen data included meeting URLs containing embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration details.
Identified Extensions
Google Chrome
- Chrome Audio Capture (kfokdmfpdnokpmpbjhjbcabgligoelgp)
- ZED: Zoom Easy Downloader (pdadlkbckhinonakkfkdaadceojbekep)
- X (Twitter) Video Downloader (akmdionenlnfcipmdhbhcnkighafmdha)
- Google Meet Auto Admit (pabkjoplheapcclldpknfpcepheldbga)
- Zoom.us Always Show “Join From Web” (aedgpiecagcpmehhelbibfbgpfiafdkm)
- Timer for Google Meet (dpdgjbnanmmlikideilnpfjjdbmneanf)
- CVR: Chrome Video Recorder (kabbfhmcaaodobkfbnnehopcghicgffo)
- GoToWebinar & GoToMeeting Download Recordings (cphibdhgbdoekmkkcbbaoogedpfibeme)
- Meet auto admit (ceofheakaalaecnecdkdanhejojkpeai)
- Google Meet Tweak (Emojis, Text, Cam Effects) (dakebdbeofhmlnmjlmhjdmmjmfohiicn)
- Mute All on Meet (adjoknoacleghaejlggocbakidkoifle)
- Google Meet Push-To-Talk (pgpidfocdapogajplhjofamgeboonmmj)
- Photo Downloader for Facebook, Instagram, + (ifklcpoenaammhnoddgedlapnodfcjpn)
- Zoomcoder Extension (ebhomdageggjbmomenipfbhcjamfkmbl)
- Auto-join for Google Meet (ajfokipknlmjhcioemgnofkpmdnbaldi)
Microsoft Edge
- Edge Audio Capture (mhjdjckeljinofckdibjiojbdpapoecj)
Mozilla Firefox
- Twiter X Video Downloader ({7536027f-96fb-4762-9e02-fdfaedd3bfb5}, published by “invaliddejavu”)
- x-video-downloader (xtwitterdownloader@benimaddonum.com, published by “invaliddejavu”)
Corporate Espionage Capabilities
Most of these extensions were crafted to impersonate productivity tools for enterprise video conferencing platforms such as Google Meet, Zoom, and GoTo Webinar. Once installed, they exfiltrated meeting links, credentials, and participant information in real time using WebSocket connections.
The extensions were also capable of harvesting detailed data from webinar registration pages, including speaker and host names, professional titles, biographies, profile images, company affiliations, logos, promotional materials, and session metadata.
Researchers found that the add-ons requested access to more than 28 video conferencing platforms, including Cisco WebEx, Microsoft Teams, Google Meet, Zoom, and GoTo Webinar, even when such access was unnecessary for their stated functionality.
“This is not consumer-level fraud, this is infrastructure designed for corporate espionage,” said researchers Tuval Admoni and Gal Hachamov. They emphasized that users received the promised functionality, while covert surveillance continued unnoticed in the background.
Attribution and Risk Assessment
Koi Security noted that the stolen information could be monetized through underground markets, or used to support social engineering, impersonation, and targeted corporate espionage campaigns.
The suspected Chinese origin of DarkSpectre is supported by multiple indicators, including command-and-control servers hosted on Alibaba Cloud, ICP registrations tied to Chinese provinces such as Hubei, source code containing Chinese-language comments, and fraud operations aimed at Chinese e-commerce platforms like JD.com and Taobao.
According to Koi, additional extensions may still be in circulation and currently appear legitimate, serving only to build trust and grow user bases before being activated for malicious purposes.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
