The DarkSpectre browser extension campaign has affected a total of 2.2 million users across Google Chrome, Microsoft Edge, and Mozilla Firefox. This campaign is linked to the threat actor behind the ShadyPanda and GhostPoster malicious browser extension campaigns. Koi Security has been tracking this Chinese threat actor under the name DarkSpectre and has found that the campaigns collectively impacted over 8.8 million users over a period of more than seven years.
ShadyPanda, one of the campaigns, targeted all three browser users for data theft, search query hijacking, and affiliate fraud. It has affected 5.6 million users, including newly identified victims from over 100 extensions associated with the same cluster. The campaign included an Edge add-on called “New Tab – Customized Dashboard” with a logic bomb that activates malicious behavior after a three-day delay to deceive reviewers.
The GhostPoster campaign primarily targeted Firefox users with seemingly harmless utilities and VPN tools that injected malicious JavaScript code for affiliate link hijacking and ad fraud. Investigating this activity led to the discovery of more browser add-ons, including a Google Translate extension for Opera with nearly one million installs.
The third campaign, The Zoom Stealer, involved 18 extensions across Chrome, Edge, and Firefox designed to collect corporate meeting intelligence. These extensions harvested meeting-related data like URLs, meeting IDs, topics, descriptions, and more. They mimicked tools for video conferencing applications to exfiltrate meeting links and credentials in real-time.
The extensions requested access to over 28 video conferencing platforms, including Cisco WebEx, Microsoft Teams, and Zoom, regardless of actual requirements. Researchers noted that this operation represents corporate espionage infrastructure, with the potential to sell data to bad actors and conduct social engineering and impersonation operations.
The operation’s Chinese links were identified through various clues, including the use of Alibaba Cloud for command-and-control servers, Chinese-language artifacts in the code, and fraud schemes targeting Chinese e-commerce platforms. Koi Security warned that DarkSpectre likely has more legitimate-looking extensions in place as part of a trust-building phase to accumulate users before malicious activities are initiated.
