Security researchers have uncovered a massive, sophisticated browser extension malware campaign that has infected 8.8 million users worldwide across multiple web browsers. The operation — attributed to a China-linked threat actor tracked as DarkSpectre — is not a single incident but a collection of three distinct but interconnected malicious campaigns that have operated stealthily for more than seven years by abusing trusted browser extension marketplaces to distribute malware and harvest sensitive data. According to a new analysis by Koi Security, DarkSpectre’s campaigns — ShadyPanda, GhostPoster, and The Zoom Stealer — have used deceptive extensions for Chrome, Microsoft Edge, Firefox, and Opera to conduct data theft, search hijacking, affiliate fraud, and even corporate espionage by collecting confidential online meeting information. This discovery highlights ongoing risks posed by malicious browser add-ons that evade detection by mimicking legitimate tools, earning trust, and then “activating” malicious behavior years after their initial installation, often when users least expect it. DarkSpectre’s Scope — An Expanded Threat Ecosystem Threat intelligence shows that DarkSpectre’s three campaigns have cumulatively reached over 8.8 million users worldwide, with 2.2 million users directly impacted by the most recently exposed campaign. ShadyPanda This long-running operation is the core of what analysts now call the DarkSpectre ecosystem. It focuses on: Data theft — collecting browsing data, cookies, and search queries. Affiliate fraud — injecting affiliate codes to siphon commissions from user clicks on major retail sites. Over 100 extensions were flagged across Chrome, Edge, Firefox, and Opera with millions of installs. Some extensions included logic bombs that waited days after installation to activate malicious payloads, allowing them to bypass review processes and build trust. ShadyPanda’s tactics are classic long-game malware: seemingly benign extensions are populated into official stores, allowed to gain traction, and then weaponized later via silent updates. GhostPoster Primarily targeting Mozilla Firefox users, this campaign uses: Browser add-ons disguised as VPN tools, screenshot utilities, ad blockers, and other utilities. Embedded malicious JavaScript code that injects tracking scripts, hijacks affiliate links, and commits click and ad fraud without user consent. These extensions have collectively garnered hundreds of thousands of downloads before removal. (The Hacker News) GhostPoster’s approach blends social engineering with technical skill, using familiar extension categories (like VPNs or ad blockers) to lure users while secretly executing malicious behavior. The Zoom Stealer: Corporate Espionage at Scale Perhaps the most alarming component is the recently identified Zoom Stealer campaign — a cluster of 18 browser extensions that harvest sensitive corporate meeting intelligence from users’ browsers. Unlike typical adware or affiliate fraud campaigns, The Zoom Stealer: Requests access to over 28 video conferencing platforms, including Zoom, Microsoft Teams, Google Meet, Cisco WebEx, GoTo Webinar, and others. Collects meeting URLs, embedded passwords, meeting IDs, topics, descriptions, scheduled times, and registration statuses. Gathers detailed participant information, such as speaker names, titles, company affiliations, and even promotional graphics. Exfiltrates this data in real time using WebSocket connections to remote servers. What makes Zoom Stealer especially dangerous is its ability to harvest corporate intelligence — not just personal browsing data — potentially feeding espionage, targeted phishing, impersonation attacks, or competitive intelligence collection. How the Campaigns Gain Trust Perhaps the most clever aspect of DarkSpectre’s approach is how it builds legitimacy: Extensions perform core advertised functionalities — productivity tools, converters, video downloaders, etc. — and only later deliver malicious behavior. Many extensions include delayed activation logic (known as “logic bombs”) that waits several days after installation before executing hidden code, increasing the chance they will pass platform reviews and gain user trust. The malware absconds with data quietly in the background while maintaining normal functionality from the user’s perspective. This dual nature — useful tool and silent threat — makes DarkSpectre’s extensions particularly insidious and harder to detect with conventional defenses. A Global Problem — Affected Platforms & Users DarkSpectre’s reach spans across the major browser ecosystems: Google Chrome – Numerous malicious add-ons distributed via the Chrome Web Store. Microsoft Edge – Extensions targeting Edge users with a similar mix of utility and malicious behavior. Mozilla Firefox – GhostPoster campaign dominates here with dozens of compromised add-ons. Opera – At least one high-install extension linked to the campaigns was found on Opera’s store. Victims are not limited to individual users — corporate and enterprise users are increasingly targeted due to the higher value of the data that can be harvested. The Risks of Browser Extension Malware Malicious browser extensions can inflict many forms of damage, including: Privacy Invasion Extensions can gain deep access to browsing history, search queries, cookies, and form data — exposing sensitive personal or business information. Search and Traffic Hijacking By intercepting or redirecting traffic, malicious add-ons can reroute search queries to fraudulent sites or inject ads, generating illicit revenue for attackers. Corporate Espionage Extensions like Zoom Stealer scrape meeting data, agenda items, participant details, and potential strategic discussion points. This intelligence can be used to anticipate corporate decisions, breach systems, or manipulate stakeholders. Credential and Session Theft Malware can also capture session tokens or credentials stored in the browser, granting unauthorized access to accounts. Affiliate and Ad Fraud By altering link behavior or injecting hidden tracking scripts, attackers can profit from redirects or false affiliate clicks without users’ knowledge. Attribution: A China-Linked Actor Multiple lines of evidence point to DarkSpectre being a well-organized, probable Chinese threat group, including: Command-and-control (C2) infrastructure hosted on Alibaba Cloud. Internet Content Provider (ICP) registrations linked to Chinese provinces such as Hubei. Code artifacts containing Chinese-language strings and comments. Fraud efforts tailored for Chinese e-commerce platforms like JD.com and Taobao. While attribution in cyberspace is inherently complex, these correlations — along with consistent infrastructure reuse and developer patterns — support assessments that the actor has significant ties to Chinese cloud and dev ecosystems. How Users and Organizations Can Defend Themselves Given the scale and stealth of these campaigns, users and IT teams should adopt proactive security measures: Vet Browser Extensions Carefully Only install extensions from trusted developers with transparent code and clear privacy policies. Be skeptical of tools with overly broad permissions. Limit Permissions Regularly review installed extensions and remove those requesting access to sensitive data or browser activity that doesn’t match their core purpose. Use Security Tools Endpoint protection platforms and browser security extensions can monitor for abnormal script activity and identify malicious behavior associated with extensions. Keep Software Updated Ensure that browsers and security solutions are routinely updated to reduce exposure to known malware tactics and prevent exploitation via compromised add-ons. Educate Users and Employees Train users to understand the risks of installing browser extensions and how to spot suspicious behavior — especially when browsing work-related or corporate sites. Final Thoughts: Trust Exploited, Users at Risk The DarkSpectre browser extension campaigns represent one of the longest-running and most impactful malicious extension operations uncovered to date. By blending legitimate utility with covert malicious capabilities, these extensions have earned deep trust from users only to betray it later, harvesting sensitive data and facilitating espionage and fraud across millions of devices. As browser extensions continue to be a critical part of the web ecosystem — providing added functionality and convenience — this incident underscores the urgent need for stronger vetting processes, better permission transparency, and improved threat detection mechanisms on extension marketplaces. Staying informed, vigilant, and security-minded can help users and organizations mitigate the risk posed by similar threats in the future. Post navigation Trust Wallet Chrome Extension Hack Drains Millions in Crypto – Sophisticated Supply Chain Attack Exposed The Breach You Didn’t Expect: Why Your AppSec Stack Could Leave You Exposed in 2026
