A newly uncovered Chinese threat group known as DarkSpectre has been linked to one of the most widespread browser extension malware operations uncovered to date, compromising more than 8.8 million users over the past seven years, according to a report cited by Cyber Press.
Research conducted by Koi.ai found that DarkSpectre operates three interconnected malware campaigns, named ShadyPanda, GhostPoster, and a newly identified campaign called The Zoom Stealer. Together, they form a single, coordinated operation targeting users of Google Chrome, Microsoft Edge, Mozilla Firefox, and Opera.
The ShadyPanda campaign, which accounts for 5.6 million infections, focuses on long-term user surveillance and e-commerce affiliate fraud. The malicious extensions often appeared legitimate for years, presenting themselves as new tab pages or translation tools.
Once installed, the extensions quietly downloaded malicious configurations from command and control servers, including jt2x.com and infinitynewtab.com. After activation, they injected remote scripts, hijacked search results, and monitored users’ browsing activity.
The second campaign, GhostPoster, spread primarily through Firefox and Opera extensions. These extensions concealed malicious JavaScript payloads inside PNG images using steganography.
After remaining dormant for several days, the extensions extracted and executed the hidden code, enabling stealthy remote code execution. The GhostPoster campaign has affected more than one million users and relied on domains such as gmzdaily.com and mitarchive.info to deliver malicious payloads.
The most recent campaign, known as The Zoom Stealer, exposed about 2.2 million users to corporate espionage risks. These extensions posed as productivity tools or video downloaders while secretly collecting corporate meeting links, login credentials, and speaker profiles.
The data was harvested from more than 28 video conferencing platforms, including Zoom, Microsoft Teams, and Google Meet.
According to the research, the extensions used real-time WebSocket connections to transmit stolen information to Firebase databases, including zoocorder.firebaseio.com, and to Google Cloud functions such as webinarstvus.cloudfunctions.net.
Get the latest tech news, telecom insights, and product launches wherever you prefer.
Add ProPakistani to Preferred Sources and see more of our stories in Google Search and Top Stories.