Malicious browser extensions tied to DarkSpectre affect millions worldwide

Researchers say long-running extension campaigns quietly collected user and corporate data across major browsers.

What happened

According to The Hacker News, researchers disclosed that a threat actor tracked as DarkSpectre has operated multiple malicious browser extension campaigns that collectively impacted more than 8.8 million users over several years. The activity spans Google Chrome, Microsoft Edge, and Mozilla Firefox, and includes three related campaigns known as ShadyPanda, GhostPoster, and a newer operation researchers call Zoom Stealer. The extensions were distributed through official browser stores and appeared to function as advertised while covertly collecting data.

Going deeper

ShadyPanda was the largest of the campaigns, affecting millions of users through extensions that hijacked search queries, enabled affiliate fraud, and siphoned browsing data. Some extensions included delayed activation logic that allowed them to pass store reviews before malicious features were enabled. GhostPoster focused primarily on Firefox users and relied on benign-looking utilities and VPN tools that injected JavaScript to manipulate affiliate traffic and advertising flows. The most recent activity, Zoom Stealer, targeted enterprise users by harvesting online meeting information such as URLs, meeting IDs, embedded passwords, host details, and session metadata. Researchers found that many extensions requested access to video conferencing platforms regardless of whether such access was needed for functionality, and transmitted collected data over persistent WebSocket connections.

What was said

Researchers said the extensions built trust over time by delivering expected features, accumulating users, and receiving positive reviews before being repurposed through updates. Researchers described the Zoom Stealer campaign as focused on systematic collection of meeting intelligence rather than consumer fraud. They noted that the data could be used for impersonation, social engineering, or resale to other actors. Indicators linking the activity to China included hosting patterns, infrastructure registrations, code artifacts, and targeting of Chinese e-commerce platforms.

In the know

Separate reporting from The Register shows that ShadyPanda has been running long term browser supply chain attacks since at least 2018 by abusing trust in official extension marketplaces. Instead of relying on phishing or software exploits, the group published benign looking Chrome and Edge extensions such as wallpapers, utilities, and new tab tools, then spent years building installs, positive reviews, and a trusted reputation. Once widely adopted, the extensions were quietly modified through updates to add spyware and remote access backdoors. The Register reported that more than 4.3 million users were affected across Google Chrome and Microsoft Edge, showing how browser extensions can become a stealthy entry point for large-scale data collection without triggering traditional security warnings.

The big picture

In a recent related report, ‘Two Chrome Extensions Caught Stealing ChatGPT and DeepSeek Chats from 900,000 Users,’ investigators described how seemingly legitimate browser add-ons were quietly capturing sensitive AI conversations and browsing activity at scale. The extensions were marketed as analytics or productivity tools, but embedded libraries that monitored user interactions and transmitted data off-platform. Researcher John Tuckner said the case signals a turning point in how extensions are being abused. “It is clear prompt poaching has arrived to capture your most sensitive conversations and browser extensions are the exploit vector,” he said. Tuckner warned that the behavior raises questions about whether such extensions comply with browser store rules that restrict apps to a single purpose and prohibit dynamic code loading. He added that monetization pressures are likely to accelerate the trend, noting that “more firms will begin to realize these insights are profitable,” and that extension developers may add more sophisticated third-party libraries to extract data under the guise of legitimate features.

FAQs

Why are browser extensions attractive to threat actors?

Extensions can access browsing activity, page content, and web application data, often with minimal ongoing scrutiny once installed.

How did these extensions avoid early detection?

Many behaved normally at first, gained users, and only introduced malicious logic later through updates or delayed triggers.

Why is meeting data valuable to attackers?

Meeting links, participant lists, and session details can support impersonation, targeted phishing, or intelligence gathering.

Do official browser stores prevent this type of abuse?

Stores perform reviews, but delayed activation and post approval updates can allow malicious behavior to slip through.

What can users and organizations do to reduce risk?

They can limit extension installation, regularly review permissions, audit installed add-ons, and remove tools that are no longer needed.