Researchers Say DarkSpectre Browser-Extension Campaigns Harvest Meeting Data, Impact Millions

Security researchers have linked three malicious browser-extension campaigns — ShadyPanda, GhostPoster and a newly disclosed cluster called DarkSpectre — to a threat actor they assess is Chinese, and say the activity has affected more than 8.8 million users over seven years. DarkSpectre alone has impacted about 2.2 million users of Google Chrome, Microsoft Edge and Mozilla Firefox.

ShadyPanda was found affecting about 5.6 million users and includes over 100 extensions tied to the same cluster, "including 1.3 newly identified victims." Some add-ons were weaponized long after they gained users: one Edge add-on named "New Tab - Customized Dashboard" contains a logic bomb that waits three days before activating, and researchers identified nine currently active malicious extensions plus 85 "dormant sleepers" that appear benign until a malicious update is pushed.

GhostPoster primarily targeted Firefox users by distributing utilities and VPN tools that delivered malicious JavaScript to hijack affiliate links, inject tracking code and run click and ad fraud. Investigators also found other compromised add-ons, including an Opera Google Translate extension with nearly one million installs.

The newest cluster, dubbed The Zoom Stealer, uses 18 extensions across Chrome, Edge and Firefox to collect corporate meeting intelligence in real time.

Key Topics

Tech, Darkspectre, Shadypanda, Ghostposter, Zoom Stealer, Koi Security